search

ElFinder

ElFinder Exploits

ko-fiarrow-up-right

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI - Ref: https://github.com/Studio-42/elFinderarrow-up-right

hashtag
CVE-2023-52044 - ElFinder 2.1.62 - RCE

Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution (RCE) as there is no restriction for uploading files with the .php8 extension.

  1. Select arbitrary png file to upload

  2. Capture request with Burp and set content as test<?php phpinfo();?>

  3. Set filename like test.php8

  4. After forwarding the request, the file is successfully uploaded under the files directory

LogoCVE-2023-52044 - GitHub Advisory DatabaseGitHubchevron-right
LogoRemote Code Execution (RCE) in studio-42/elfinder | CVE-2023-52044 | SnykLearn more about Composer with Snyk Open Source Vulnerability Databasechevron-right

hashtag
CVE-2023-35840 - elFinder < 2.1.62 - Path Traversal

LogoGitHub - afine-com/CVE-2023-35840: elFinder < 2.1.62 - Path Traversal vulnerability in PHP LocalVolumeDriver connectorGitHubchevron-right

hashtag
elFinder < 2.6.61 - RCE

LogoRemote Code Execution (RCE) in studio-42/elfinder | CVE-2022-27115 | SnykLearn more about Composer with Snyk Open Source Vulnerability Databasechevron-right

  1. Upload a PHP file the contains a payload with a preceding a, i.e: a<?php <payload>?>.

  2. Add two dots after the file name: shell.php...

  3. The shell file is successfully uploaded by bypassing detection and can be accessed via files/shell.php.

hashtag
CVE-2022-26960 - LFI

elFinder through 2.1.60 is affected by local file inclusion via connector.minimal.php.

LogoelFinder: The story of a repwningSynacktivchevron-right

hashtag
CVE-2021-32682 - RCE

LogoelFinder - A Case Study of Web File Manager VulnerabilitiesSonarSourcechevron-right
Logovulhub/elfinder/CVE-2021-32682 at master · vulhub/vulhubGitHubchevron-right

Create a plain text file named 1.txt

Archive this file in the right-click menu to ZIP format, and modify this archived file name to 2.zip:

1.txt and 2.zip are ready here

Then, send the following request to execute arbitrary commands:

In this request, you can see 3 important parameters:

  • name, its value is equal to -TvTT=id>shell.php # a.zip, you can modify the id>shell.php to arbitrary commands

  • targets[0], its value is equal to l1_MS50eHQ. l1 means the first storage volume, MS50eHQ is the base64 encoded string of 1.txt

  • targets[1], its value is equal to l1_Mi56aXA. l1 means the first storage volume, Mi56aXA is the base64 encoded string of 2.zip

Although this request responeds to an error message, our command has been executed and shell.php has been written to http://your-ip:8080/files/shell.php

hashtag
CVE-2021-43421 RCE in elFinder <2.1.60

LogoCVE-2021-43421 RCE in elFinder <2.1.60 · Issue #4090 · projectdiscovery/nuclei-templatesGitHubchevron-right
LogoRCE elFinder 2.1.59 · Issue #3429 · Studio-42/elFinderGitHubchevron-right

hashtag
elFinder 2.1.57 RCE

LogoRemote Code Execution in elFinder 2.1.57 · Issue #3295 · Studio-42/elFinderGitHubchevron-right

hashtag
elFinder Web file manager Version: 2.1.53 Remote Command Execution

LogoelFinder Web file manager Version - 2.1.53 Remote Command ExecutionExploit Databasechevron-right

hashtag
CVE-2019-9194 - elFinder <= 2.1.47 - Command Injection

Vulnerability in the PHP connector

LogoelFinder 2.1.47 - 'PHP connector' Command InjectionExploit Databasechevron-right
LogoGitHub - hadrian3689/elFinder_2.1.47_php_connector_rceGitHubchevron-right

hashtag
Interesting Books

Interesting Bookschevron-right
circle-info

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

hashtag
Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

ko-fiarrow-up-right

buymeacoffeearrow-up-right

PreviousDenodo SchedulerNextF5 Big-IP

Last updated