[kwlug-disc] Identify this exploit?
Mikalai Birukou
mb at 3nsoft.com
Sat Dec 28 10:06:15 EST 2019
Yes, this dot operator is not sanitizing paths.
Is this a "let's try" automated trawling of web? I wonder, what region
is request IP from.
On 2019-12-28 10:00 a.m., Mikalai Birukou via kwlug-disc wrote:
>
> I've duckduckgo-ed GET /download.php?file=../.
>
> This shows up
> https://www.tutorialrepublic.com/php-tutorial/php-file-download.php
>
> There is download.php example file in it with
>
> ```
>
> |$file = urldecode($_REQUEST["file"]); // Decode URL-encoded string
> $filepath = "images/" . $file; |
>
> ```
>
> PHP isn't my language, but nothing here jumps out, saying sanitize path.
>
> How many people can use this example to add a download functionality
> to whatever app/site. StackOverflow style programming?
>
> May be its a good idea to search system for download.php?
>
>
> On 2019-12-28 1:49 a.m., Paul Nijjar via kwlug-disc wrote:
>> In my Apache logs I saw something like this, and my search-engine
>> skills are weak:
>>
>> 133.18.209.124 - - [27/Dec/2019:04:09:39 -0500] "GET /download.php?file=../../../../../../../../../../../../etc/passwd HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
>>
>> It's pretty obvious what they are trying to do, but I am having
>> trouble figuring out what the target is, exactly. Is this an exploit
>> in a popular web package I should know about?
>>
>> - Paul
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
--
Mikalai Birukou
CEO | 3NSoft Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20191228/c6dd5c79/attachment.htm>
More information about the kwlug-disc
mailing list