_\|/_
(o o)
+----oOO-{_}-OOo--------------+
|==> Author: MR.XpR +
+==> FB.Com/Mr.XpR +
+==> IRaNHACK.ORG +
|==> Hosseinxpr@gmail.com +
+-----------------------------+
# Exploit Title: elFinder 2.0 - file manager for web(rc1)- File Upload
# Version : 2.0
# Risk : High
# Date : 2014 25 June
# Download SoftWare : https://github.com/downloads/Studio-42/elFinder/elfinder-2.0-rc1.tar.gz
# Publisher : http://elfinder.org/
# GooGle Dorks : inurl:elfinder.html inurl:inurl:/elfinder/elfinder.html inurl:ckeditor/elfinder/elfinder.html
# Test on : Linux , 7
# ScreenShot 1 : http://uploaderx.persiangig.com/Demo/elfinder_Remote_File_Uploader.png
# ScreenShot 2 : http://uploaderx.persiangig.com/Demo/elfinder_Remote_File_Uploader2.png
# Video Demo : https://www.youtube.com/watch?v=nk7x5gy0vHs&feature=youtu.be
# Info :
u can upload .php .php3 .php6 .txt .html .pl .htaccess and ...
Upload Your webshell and load from :
site.com/var/upload/ro0t.php
site.com/files/upload/ro0t.php
site.com/var/upload/ro0t.php
for get file url double click on your file to open file iframe page
# Exploit :
Site.com/var/ckeditor/elfinder/elfinder.html
# P0c :
http://hhschoten.lionturtle.be/editor/tinymce/plugins/elfinder/elfinder.html
http://allcall.info/var/ckeditor/elfinder/elfinder.html
http://elfinder.org/
http://gemaraberura.com/app/moodle/local/filemanager/elfinder.html
http://dev.illuminz.com/pms/library/fm/elfinder.html
http://dl.ajums.ac.ir/radny/misc/elfinder/elfinder.html
http://www.giaccheverdi.it/admin/elfinder/elfinder.html
# Online Demo :
http://hhschoten.lionturtle.be/editor/uploads/WeBShell.php
http://elfinder.org/files/test/test.php
http://allcall.info/var/upload/IRH/test.php
http://www.giaccheverdi.it/admin/upimmagini/test.php6
http://www.giaccheverdi.it/admin/upimmagini/uploder.php6
./iranhack.org
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
(o o)
+----oOO-{_}-OOo--------------+
|==> Author: MR.XpR +
+==> FB.Com/Mr.XpR +
+==> IRaNHACK.ORG +
|==> Hosseinxpr@gmail.com +
+-----------------------------+
# Exploit Title: elFinder 2.0 - file manager for web(rc1)- File Upload
# Version : 2.0
# Risk : High
# Date : 2014 25 June
# Download SoftWare : https://github.com/downloads/Studio-42/elFinder/elfinder-2.0-rc1.tar.gz
# Publisher : http://elfinder.org/
# GooGle Dorks : inurl:elfinder.html inurl:inurl:/elfinder/elfinder.html inurl:ckeditor/elfinder/elfinder.html
# Test on : Linux , 7
# ScreenShot 1 : http://uploaderx.persiangig.com/Demo/elfinder_Remote_File_Uploader.png
# ScreenShot 2 : http://uploaderx.persiangig.com/Demo/elfinder_Remote_File_Uploader2.png
# Video Demo : https://www.youtube.com/watch?v=nk7x5gy0vHs&feature=youtu.be
# Info :
u can upload .php .php3 .php6 .txt .html .pl .htaccess and ...
Upload Your webshell and load from :
site.com/var/upload/ro0t.php
site.com/files/upload/ro0t.php
site.com/var/upload/ro0t.php
for get file url double click on your file to open file iframe page
# Exploit :
Site.com/var/ckeditor/elfinder/elfinder.html
# P0c :
http://hhschoten.lionturtle.be/editor/tinymce/plugins/elfinder/elfinder.html
http://allcall.info/var/ckeditor/elfinder/elfinder.html
http://elfinder.org/
http://gemaraberura.com/app/moodle/local/filemanager/elfinder.html
http://dev.illuminz.com/pms/library/fm/elfinder.html
http://dl.ajums.ac.ir/radny/misc/elfinder/elfinder.html
http://www.giaccheverdi.it/admin/elfinder/elfinder.html
# Online Demo :
http://hhschoten.lionturtle.be/editor/uploads/WeBShell.php
http://elfinder.org/files/test/test.php
http://allcall.info/var/upload/IRH/test.php
http://www.giaccheverdi.it/admin/upimmagini/test.php6
http://www.giaccheverdi.it/admin/upimmagini/uploder.php6
./iranhack.org
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information