Re: Need help downloading from FossHub

Tue, 17 Feb 2015 21:07:01 -0800 

On 02/17/2015 08:25 PM, Brad Cable wrote:

The /genLink URL will generate the expiretime for you, which requires
the Referer header being set.  No User-Agent detection is used from what
I can tell.  This is then dumped directly to stdout and wrapped by
another wget.  Works for me on multiple OSes at different physical
locations.

wget "`wget --header="Referer: http://www.fosshub.com/FreeFileSync.html";
"http://www.fosshub.com/genLink/FreeFileSync/FreeFileSync_6.14_Windows_Setup.exe";
-O /dev/stdout`"

Fun fact:

badurl=aHR0cDovL3d3dy5mb3NzaHViLmNvbS9GcmVlRmlsZVN5bmMuaHRtbA==/41affbb904a577f14aeace96bc39786f8840601489dcb8f9e12de18037e1c481


Is just a base64 encoded string of
"http://www.fosshub.com/FreeFileSync.html";.  XSS exploit here, they
should fix that (could use a fosshub.com link to direct someone to a bad
URL, then the system redirects them to the attacker's phishing site).

For instance, this link redirects to Google:

http://files.fosshub.com/Protected/expiretime=9424210916;badurl=aHR0cDovL2dvb2dsZS5jb20=/FreeFileSync/FreeFileSync_6.14_Windows_Setup.exe


-Brad



On 02/17/2015 09:53 PM, ToddAndMargo wrote:

On 02/17/2015 07:51 PM, Phil Wyett wrote:

On Wed, 2015-02-18 at 03:47 +0000, Phil Wyett wrote:

On Tue, 2015-02-17 at 18:52 -0800, ToddAndMargo wrote:

On 02/17/2015 02:10 PM, Brad Cable wrote:


On 02/17/2015 04:08 PM, Brad Cable wrote:

Looks like the path alone is fine to pass to wget, the server
doesn't
seem to check all the cookies.

wget
"http://files.fosshub.com/Protected/expiretime=1424210916;badurl=aHR0cDovL3d3dy5mb3NzaHViLmNvbS9GcmVlRmlsZVN5bmMuaHRtbA==/41affbb904a577f14aeace96bc39786f8840601489dcb8f9e12de18037e1c481/FreeFileSync/FreeFileSync_6.14_Windows_Setup.exe";



-Brad


On 02/17/2015 04:05 PM, ToddAndMargo wrote:

Hi All,

I am trying to write a script to download the latest
version of Free File Sync.

http://www.fosshub.com/FreeFileSync.html

Problem, it redirects and downloads from FossHub.
Firefox's CliGet plugin tells me this is the wget
command to download:

wget --header='Host: files.fosshub.com' --header='User-Agent:
Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101
Firefox/35.0'
--header='Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
--header='Accept-Language: en-US,en;q=0.5' --header='Referer:
http://www.fosshub.com/FreeFileSync.html' --header='Cookie:
__cfduid=df5c4cffdb92958c5fec1d6820562977a1420013499;
__utma=109354002.1937444008.1422666016.1422666016.1423372212.2;
__utmz=109354002.1423372212.2.2.utmcsr=thisisudax.org|utmccn=(referral)|utmcmd=referral|utmcct=/'

--header='Connection: keep-alive'
'http://files.fosshub.com/Protected/expiretime=1424210916;badurl=aHR0cDovL3d3dy5mb3NzaHViLmNvbS9GcmVlRmlsZVN5bmMuaHRtbA==/41affbb904a577f14aeace96bc39786f8840601489dcb8f9e12de18037e1c481/FreeFileSync/FreeFileSync_6.14_Windows_Setup.exe'

-O 'FreeFileSync_6.14_Windows_Setup.exe' -c

How in the dickens do I duplicate that from a script? Cookies and
bad url and all!

Many thanks,
-T



Problem is the stinkin' "badurl" changes with every click
on the download link.  I can't figure out how Firefox gets
that data so I can use it in my script




Hi all,

wget --referer=http://www.fosshub.com/
http://www.fosshub.com/download/FreeFileSync_6.14_Windows_Setup.exe

Just change the file for whatever your after and happy days. ;-)

Regards

Phil



Hmm... Firget that. Worked once and now having an issue. Will look into
it some more.

Regards

Phil



Thank you.  I am stumped.





Hi Brad,

I thought you would like to see what kind of monster
you helps me create:

-T


GetFreeFileSync () {
   # Status: 0 = unknown (default)
   #         1 = no update found
   #         2 = update found
   #         3 = error

   RtnState=0
   OldFileName=""

   NotifySound
   WorkingDir="/home/CDs/Windows/FileSystem/FreeFileSync"
   if [ ! -d $WorkingDir ]; then  mkdir $WorkingDir; fi
   cd $WorkingDir
   BaseName="FreeFileSync"
   Extension="exe"
   RevAddr="http://www.freefilesync.org/download.php";
   DownloadAddr="$RevAddr"

   # Turn off any read only tags
chmod -R 766 ${BaseName}*.${Extension}; chown -R tony.users ${BaseName}*.${Extension} 

   OldRev="$(ls $WorkingDir/                 | \
                grep -v -i "WebSite.txt"     | \
                grep -v -i "currentversion"  | \
                grep $BaseName               | \
                awk -F "_" '{print $2}'      | \
                sort -r                      | \
                sed -n 1,1p)"

  OldFileName="${WorkingDir}/${BaseName}_${OldRev}_Win_Setup.$Extension"

   LatestRev="$(wget --quiet "$RevAddr" -O -             | \
                grep -i "Get FreeFileSync"               | \
                html2text -nobs -style pretty -width 132 | \
               awk '{print $3}')"

   if [ -z "${LatestRev}" ]; then
        echo "Error: ${FUNCNAME} could not get the lastest rev"
        return 3
   fi


LatestPath="http://iweb.dl.sourceforge.net/project/freefilesync/FreeFileSync/${LatestRev}/FreeFileSync_${LatestRev}_Windows_Setup.exe";


NewFileName="${WorkingDir}/${BaseName}_${LatestRev}_Win_Setup.${Extension}"
   # echo "$(NewRev "${OldRev}" "${LatestRev}")"
GenLink="'$(wget --header="Referer: http://www.fosshub.com/FreeFileSync.html"; "http://www.fosshub.com/genLink/FreeFileSync/FreeFileSync_${LatestRev}_Windows_Setup.exe"; -O /dev/stdout)'" 

   Cmd="wget "${GenLink}" --output-document "${NewFileName}""
Status="$(GetNewRev "${Cmd}" "${OldRev}" "${LatestRev}" "${OldFileName}" "${NewFileName}" "${FUNCNAME}")" 

   chmod -R 766 .; chown -R todd.users .
   return ${Status}
}

Reply via email to