Local File Download Theory

Home / Hacking, News, Security / Local File Download Theory

December 29, 2009 PlanetCreator 0 Comments 0 tags

1 What's Local File Download(LFD)?
- Local file download is kind of misconfigured web master or webdeveloper on php application.

2 Effect

2.1 Personal/website
- You will able to view all php source code in plain text.
- php source code is such as mysql connection data, eg: host, username, password and database

3 vulnerable source code
- Example 1
<?php
header("Content-type: application/octet-stream");
header("Content-disposition: attachment; filename=".$_GET['tbdsec']);
echo file_get_contents($_GET['tbdsec']);
?>
- Example 2
<?php
$filename = $_GET['hmsec'];
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Content-Type: application/force-download");
header("Content-Type: application/octet-stream");
header("Content-Type: application/download");
header("Content-Disposition: attachment; filename=".basename($filename).";");
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($filename));
@readfile($filename);
exit(0);
?>

4 Proof of Concept
- http://localhost/tbdsec.php?hmsec=configuration.php
- Download it, and open it.
- Walla! you able to all code in that page!

5 Patch code
- To admin/webmaster ask your web developer fix it :D

6 Suggestion
- Please don't you direct download, at least filter it.

7 Dork?
- No DORK For Script Kiddies

8 Thanks/Credits
- TDBSecurity(www.tbd.my<http://www.tbd.my>)
- HMSecurity(www.hmsecurity.org<http://www.hmsecurity.org>)
- Ahli Syurga Crew
- XShimeX
- Suhz
- And Google :D

Author: Ahlspiess

Explore More

Critical Blind SQL injection in ChartNexus.com

PlanetCreator has reported another critical Blind SQL Injection (vulnerability) on http://www.starinvestorrelations.com/ which owned by FiNEX Solutions Pte. Ltd. (“FiNEX Solutions”) powered by http://www.chartnexus.com/ This vulnerability has been alerted to :-

Cyber attacks are real but is there any foolproof defense yet?

Tulip Systems Inc., the world renowned high bandwidth and broadcast stream hosting service US corporation was under repeated cyber attacks aimed at disrupting web services during the Georgia-Russia standoff few

What are the security holes in the Basic Authentication scheme?

The Basic Authentication scheme uses the username and password and encrypts the password using base64 encoding. In spite of this, there are still many security holes in the Basic Authentication

[webapps] FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
on December 25, 2025 at 12:00 am
FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
[webapps] Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
on December 25, 2025 at 12:00 am
Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
[webapps] WordPress Quiz Maker 6.7.0.56 - SQL Injection
on December 25, 2025 at 12:00 am
WordPress Quiz Maker 6.7.0.56 - SQL Injection
[webapps] esm-dev 136 - Path Traversal
on December 16, 2025 at 12:00 am
esm-dev 136 - Path Traversal
[webapps] Summar Employee Portal 3.98.0 - Authenticated SQL Injection
on December 16, 2025 at 12:00 am
Summar Employee Portal 3.98.0 - Authenticated SQL Injection