eLFinder 2.x.x Arbitrary File Upload (Cross Site Request Forgery)


# Google Dork: intitle:"elFinder 2.1.x"
# Vendor Homepage: https://studio-42.github.io/elFinder/
# Software Link: https://github.com/Studio-42/elFinder/archive/2.1.47.tar.gz
# Version: <= 2.1.47
# Tested on: Linux 64bit + Python2.7
# PoC: https://www.secsignal.org/news/cve-2019-9194-triggering-and-exploiting-a-1-day-vulnerability/
# CVE: CVE-2019-9194



# Exploit :
  1. http://[TARGET]/[PATH]/elfinder/php/connector.php
  2. http://[TARGET]/[PATH]/elfinder/php/connector.minimal.php
  3. http://[TARGET]/[PATH]/elfinder/connectors/php/connector.php


# HTML :


# Python :


# WEB-BASED [PHP] Mass Exploit :


# Bash :

Previous
Next Post »