File viewing and downloading vulnerabilities occur when websites fail to restrict user access to files, allowing malicious users to view or download sensitive files. These vulnerabilities are often found in links with parameters like path, file, or src. Exploitation involves downloading configuration files (e.g., SSH, WebLogic), log files to find backend addresses or upload points, and web business files for white-box auditing. Attackers may attempt to read bash history to check for root privileges, navigate directories using '../', or download applicationContext.xml and .class files for decompilation in Java+Oracle environments. With root access, the locate command can be used to find files via the mlocate.db database. Mitigation includes filtering '.' to prevent directory traversal, strict input validation, and configuring open_basedir in php.ini to limit file access scope.
File Download
1. Vulnerability Overview
Websites commonly need to provide file viewing or file download functionality to meet business requirements. However, if no restrictions are placed on which files users can view or download, a malicious user may view or download arbitrary sensitive files — this is known as a File Viewing and Download vulnerability.
2. Where It Occurs
2.1 Common Link Patterns
download.php?path=
down.php?file=
data.php?file=
download.php?filename=
2.2 Commonly Involved Parameters
&src=
&inputfile=
&filepath=
&path=
&data=
3. Exploitation Techniques
Download common configuration files, such as those for SSH, WebLogic, FTP, MySQL, and related services.
Download various .log files and look for backend admin URLs, file upload endpoints, and similar targets. With a bit of luck, you may even stumble upon backdoors left by previous attackers.
Log files are essentially activity records. Every log entry has three core elements: a timestamp (when something happened), an event level (INFO / WARN / ERROR), and a specific message (what happened or what crashed).
Download the web application's source files for white-box auditing, then leverage any discovered vulnerabilities to further breach the server. Try reading /root/.bash_history to check whether you have root privileges.
If you don't have root, you'll have to proceed methodically — use ../ to navigate around and read configuration files under .ssh, as well as the .bash_history file under MySQL, to see if any useful information has been logged. Then download each code file you need for auditing one by one. This can become quite tedious; often you'll have to guess directory names and download middleware log files for analysis.
If you're dealing with a Java + Oracle environment, start by downloading /WEB-INF/classes/applicationContext.xml — this file contains the web server's response configuration. Then download /WEB-INF/classes/xxx/xxx/ccc.class, decompile it, and search for the keyword "upload" to see if any API endpoints exist. If so, you can build an upload page locally and use that API endpoint to transfer your payload onto the server.
If you do have root privileges, you can use the Linux locate command to find files or directories. Rather than searching a specific directory, locate queries a database at /var/lib/mlocate/mlocate.db that contains information about every file on the local system. Linux creates this database automatically and updates it once a day. When you have no idea what the paths are, this is practically a nuclear weapon — use the arbitrary file download vulnerability to grab mlocate.db, then use the locate command to dump all the data into a file containing every file path on the system.
How to use locate: locate mlocate.db admin
This will output every entry in mlocate.db that contains "admin" in the filename.
1. Vulnerability Overview
Websites commonly need to provide file viewing or file download functionality to meet business requirements. However, if no restrictions are placed on which files users can view or download, a malicious user may view or download arbitrary sensitive files — this is known as a File Viewing and Download vulnerability.
2. Where It Occurs
2.1 Common Link Patterns
2.2 Commonly Involved Parameters
3. Exploitation Techniques
4. Common Exploitation Paths
5. Remediation