checking for vunerabilities

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
forcer
Forum Newbie
Posts: 1
Joined: Tue Jun 03, 2003 2:34 pm

checking for vunerabilities

Post by forcer »

i was checking for vunerabilities on a server to see if i could download mp3 files without them knowing, i was successful. i coded the script below, entered the big long url into a box clicked generate and it told me the actual mp3 link.

for instance a url such as:

http://www.site.net/downloadMP3.php?tun ... %20mix.mp3& uri=L2hvbWUwL2Rhei9wdWJsaWNfaHRtbC9tcDMvY2hvb25zLw
==&id=979

would be decoded with my script and would shoot out the link:

http://www.site.net/mp3/choons/666 - Devil - What the hell mix.mp3

i click the link and download the mp3.

and this is the code i used:

Code: Select all

<?php
if ($_GET['url']) {
    $tstart = strpos($_GET['url'], 'tune=')+5;
    $tend = strpos($_GET['url'], '&', $tstart);
    $tune = urldecode(substr($_GET['url'], $tstart, $tend-$tstart));
    $ustart = strpos($_GET['url'], 'uri=')+4;
    $uend = strpos($_GET['url'], '&', $ustart);
    $uri = base64_decode(substr($_GET['url'], $ustart, $uend-$ustart));
    $url = 'http://www.site.net'.substr($uri, 22).$tune;
    echo "<font size="2" face="Arial, Helvetica, sans-serif"><a href="$url">$url</a></font>";
}
?>
and the test was successful the mp3 downloaded.

but for the second test we used a random number uri. Meaning the download link is:

http://www.site.net/downloadMP3.php?tun ... wHd&id=195

and when i put that through my script above it shoots out a link like this:

http://www.site.net¼Acida - Acida.mp3

which works, apart from it hides the directory which is mp3/choons/ with ¼

we are still looking for a way around this.

how can this url be decoded and display the correct url. any help or comments highly appreciated
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

taking this link http://www.site.net/downloadMP3.php?tun ... wHd&id=195
I see three parameters: tune, uri and id
but what is $_GET['url']?
And what do you want to achieve?
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

.htaccess (or, better, directory if can set that) & registration - login - authentication?
Post Reply