Sometimes, when visiting a website, we find a link to download files from that site. The downloaded file can be a guide, tutorial, or another document.
When hunting private programs on Bugcrowd, I found a link to download PDF files with the following format:
When accessing the link, then the browser will download the file
file.pdf. The first I think when finding such a URL, of course, I wonder if there is a Local File Download bug on the link.
So to do the test, I tried to change the URL be like this:
But nothing happened :(
There are several possibilities that I can think when I found the index.php file could not be downloaded. First, the download feature has been protected so that we cannot download files that are not permitted, or second, the download feature is directed to another host, maybe as a CDN or something so that the index.php file does not exist.
For the second possibility, maybe this is the code used:
$host = 'https://cdn.redacted.com'; $file = $_GET['file']; $download_url = $host .'/'. $file;
In the code above, it appears that the
host of the file to be downloaded has been hardcoded in the code so that we can manipulate only the
To find out if our assumptions about the URL format are correct, the easiest way is to try to redirect to another domain by adding the @ symbol at the end of the
file parameter value and followed by the domain.
And boom! The HTML code from www.google.com was downloaded.
This means that through this vulnerability, we can only download data that is outside the server, cannot access files that are on the target. Then what data can we possibly get?
Knowing that the server is on Amazon AWS, so I tried to extract AWS Metadata through the vulnerability.
AWS Metadata Exists at URL:
Then the URL is modified like this:
But nothing happened again :(
After some time, I realized that the possibility of a hardcode host using the
HTTPS protocol, so when we try to redirect to the Metadata URL that is using the
HTTP protocol, the redirect process doesn’t work.
For that, I use a little trick by using a domain that uses
HTTPS and then redirect again to the URL of the Metadata.
Server Target ---> HTTPS domain ---> URL Metadata
For that, I created a simple
PHP file to redirect to Metadata:
<?php header('location: http://169.254.169.254/latest/meta-data/');
Then the file is uploaded to a domain that uses HTTPS. Then the final URL will be like this:
And the Metadata was downloaded!
For this finding, I got
P1 on Bugcrowd.
- CWE-200 : Information Exposure