• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

finding vunerabilities


OSNN Senior Addict
i was checking for vunerabilities on a server to see if i could download mp3 files without them knowing, i was successful. i coded the script below, entered the big long url into a box clicked generate and it told me the actual mp3 link.

for instance a url such as:

www.site.net/downloadMP3.php?tune=666%20-%20Devil%20-%20What%20the%20hell%20mix.mp3& uri=L2hvbWUwL2Rhei9wdWJsaWNfaHRtbC9tcDMvY2hvb25zLw

would be decoded with my script and would shoot out the link:

www.site.net/mp3/choons/666 - Devil - What the hell mix.mp3

i click the link and download the mp3.

and this is the code i used:
if ($_GET['url']) { 
    $tstart = strpos($_GET['url'], 'tune=')+5; 
    $tend = strpos($_GET['url'], '&', $tstart); 
    $tune = urldecode(substr($_GET['url'], $tstart, $tend-$tstart)); 
    $ustart = strpos($_GET['url'], 'uri=')+4; 
    $uend = strpos($_GET['url'], '&', $ustart); 
    $uri = base64_decode(substr($_GET['url'], $ustart, $uend-$ustart)); 
    $url = 'http://www.site.net'.substr($uri, 22).$tune; 
    echo "<font size=\"2\" face=\"Arial, Helvetica, sans-serif\"><a href=\"$url\">$url</a></font>"; 
and the test was successful the mp3 downloaded.

but for the second test we used a random number uri. Meaning the download link is:


and when i put that through my script above it shoots out a link like this:

http://www.site.net¼Acida - Acida.mp3

which works, apart from it hides the directory which is mp3/choons/ with ¼

we are still looking for a way around this.

how can this url be decoded and display the correct url. any help or comments highly appreciated

Members online

No members online now.

Latest posts

Latest profile posts

Hello, is there anybody in there? Just nod if you can hear me ...
What a long strange trip it's been. =)

Forum statistics

Latest member