This video shows how to hack wordpress website using Arbitrary File Download vulnerability
1- Introduction to Arbitrary File DownloadIntroduction to Arbitrary File Download
2- Youtube Hacking Video
1- What is Arbitrary File Download?
As the name suggests, if the web application doesn’t check the file name required by the user, any malicious user can exploit this vulnerability to download sensitive files from the server.
Many web applications have file download sections where a user can download one or more files of his choice. If the input is not properly sanitized before being used to retrieve files from the file cabinet or retrieve attachments from a received message or memo, it can be exploited to download arbitrary files from the system via directory traversal attacks.
Consider this example:
Download_file (‘/var/www/store_file/’ + params[:filename])
This method takes user’s input and assigns the value to the ‘filename’ parameter. When user clicks on file to download,it appends the ‘filename’ parameter to the directory path ‘/var/www/store_file/’, which is used tostore the files being downloaded. For example, if user asks for ‘myFile’, the path will be ‘/var/www/store_file/myFile’. If file exists, it’s downloaded to the user’s HD;otherwise the user gets message ‘File Not Found’.
The above is an example of an ideal situation whichis not always the case. If in the code the developers have not properly validated the input from the user before assigning it to the ‘filename’ parameter, the consequences can be disastrous. If the user simply supplies’../../../etc/passwd’or ‘../../../etc/shadow’, they can download the server’s login information from the system, which can eventually be used to retrieve a valid user’s account and finally connecting and owning the server, which I shall show in a real scenario that I came across. On a successful exploitation, any file present on the server can be downloaded based on the account privileges in which the server is running. In this case, as the application server is running as the highest privilege user (root) on the system, we were able to obtain a copy of the shadow file.