finding vunerabilities

Discussion in 'Web Design & Coding' started by forcer, Jun 3, 2003.

  1. forcer

    forcer OSNN Senior Addict

    i was checking for vunerabilities on a server to see if i could download mp3 files without them knowing, i was successful. i coded the script below, entered the big long url into a box clicked generate and it told me the actual mp3 link.

    for instance a url such as: uri=L2hvbWUwL2Rhei9wdWJsaWNfaHRtbC9tcDMvY2hvb25zLw

    would be decoded with my script and would shoot out the link: - Devil - What the hell mix.mp3

    i click the link and download the mp3.

    and this is the code i used:
    if ($_GET['url']) { 
    $tstart strpos($_GET['url'], 'tune=')+5
    $tend strpos($_GET['url'], '&'$tstart); 
    $tune urldecode(substr($_GET['url'], $tstart$tend-$tstart)); 
    $ustart strpos($_GET['url'], 'uri=')+4
    $uend strpos($_GET['url'], '&'$ustart); 
    $uri base64_decode(substr($_GET['url'], $ustart$uend-$ustart)); 
    $url ''.substr($uri22).$tune
    "<font size=\"2\" face=\"Arial, Helvetica, sans-serif\"><a href=\"$url\">$url</a></font>"

    and the test was successful the mp3 downloaded.

    but for the second test we used a random number uri. Meaning the download link is:

    and when i put that through my script above it shoots out a link like this:¼Acida - Acida.mp3

    which works, apart from it hides the directory which is mp3/choons/ with ¼

    we are still looking for a way around this.

    how can this url be decoded and display the correct url. any help or comments highly appreciated
  2. X-Istence

    X-Istence * Political User

    Well that really is not a vulniribilty. Its more like a way they have coded their script.