I found a website which nesesita download a file that I found of interest, where the direction of discharge was similar to this: request http://www.sitio.com/descarga/download.php?file=download.php
to download the file and heureca download.php:)
$ filename = $ _GET ['file']; // addition by Jorg Weske $file_extension = strtolower(substr(strrchr($filename,"."),1)); if ( ! file_exists( $filename ) ) { echo "not file"; exit; }; switch( $file_extension ) { case "pdf": $ctype="application/pdf"; break; case "exe": $ctype="application/octet-stream"; break; case "zip": $ctype="application/zip"; break;
case "doc": $ctype="application/msword"; break; case "xls": $ctype="application/vnd.ms-excel"; break; case "ppt": $ctype="application/vnd.ms-powerpoint"; break; case "gif": $ctype="image/gif"; break; case "png": $ctype="image/png"; break; case "jpeg": case "jpg": $ctype="image/jpg"; break; default: $ctype="application/force-download";
in the first line, we can see that takes the file name of the variable $ _GET ['file'] and saves $ filename, then line 4 which makes this function is taking all the file name and just get your extension, for example, if the file to download is file.pdf $ variable will contain file_extension pdf, here was what I found when I was a good thing reading the code, but only uses it to set the MIME type
(line 12), which is very good but also ubiera filtering with them a black-list so that you can not download entension dangerous. In line 31 we show the name of the file you download cuadno appear to the user and in line 33, the Content-Length is the size of the file, oh and the line 29 is the MIME we talked about earlier. :) As the download was done with a php we may think that you can download any php of the web, then download the index to look is where you have interesting data database connection:) http:/
When you open the index.php file see this information a little more interesting than the last
class_DB.php We can download the file, and within that file, we see a lot more line interesting include ("conectar.php"); And still think that? ........... If correct, we downloaded the file conectar.php
Well now is find the phpmyadmin, placing www.sitio.com / phpmyadmin the easy way, and if not there we find some bruteador largar. Or that is what I like by the mysql client, first check if the port is open to the public with Nmap:)
and now we connect
I think it is understood the danger of what exposes not validate tickets as well as all the entries that the user is given, you should always verify. From a simple drop file could enter their data, they break the confidentiality, integrity, and we could break up the availability of its Web site.
For completeness, the same script, to put the safety, so that you can not download any dangerous extension as php, asp, inc, etc. and for non-climbable directories.
} header (" Pragma: public ") / / required header (" Expires: 0 "); header (" Cache-Control: must-revalidate, post-check = 0, pre-check = 0 "); header (" Cache-Control: private ", false) / / required for Un certain browsers header (" Content-Type: $ ctype "); header (" Content-Disposition: attachment; filename = \\ "". $ filename. "\\" ") # name of the file in the download header (" Content-Transfer-Encoding: binary "); header (" Content-Length: ". filesize ($ path)); readfile (" $ path ");
?>
The second line we use basename
works, that achieves that if the user places such as / carpeta/carpeta2/archivo.pdf, we devilvera file.pdf , removed all the old location and with the help of line 3 put a folder called downloads
, which in it will contain all the files for download (forgive the redundancy), and where the user can never escape it. So for example if the user tries to download in this way
The safety block, the first line check with a regular expression that if these extensions, we address the index (you can place as many as you like on it).
Well long that I was not doing anything for the blog, on the basis of faculty and other personal issues:). I have to give a lecture at the Faculty Fa.CENA in High Performance Networks lecture in which I seconded, and elected theme Apache. Well
documentation itself is not very advanced as it would be nothing more than an introduction to what is and how to configure apache pointing to security at an intermediate level, for reasons that I give only a single expositions and there are students who never install Apache, Linux, much less touched so one of my goals is to codeen obviamte Debian and configure Apache which is the linchpin of the class. I also work with
lampp , questions of this lecture is in the last year and we are all with the theme of the thesis, and some are pulling to PHP, and this package brings all packed MySQL, PHP and Apache, but it would have been better to compile Apache from 0 downloading from the official website. Information Well I think I chose this good to start fiddling with the basic features and not so basic Apache, I leave the material below.
download.php When you open the file we can begin to verify the validation failures: 
}; switch( $file_extension ) 
And still think that? ........... If correct, we downloaded the file conectar.php 
/ / Addition by Jorg Weske $ file_extension = strtolower (substr (strrchr ($ filename ,"."), 1)); 
