Php Remote file Inclusion and RCE in flatpressblog/flatpress
Reported on
Oct 4th 2022
Description
flatpresshas a feature to upload file "uploader" and display from "media manager". By uploading PHP files, the users can perform Php Remote file Inclusion attack and gain RCE. Copy the following code and save as test.Php (note the uppercase).
Proof of Concept (test.Php)
test<?php phpinfo(); ?>
- login to http://demos4.softaculous.com/FlatPresseidiiohclz/admin.php?p=uploader&action=default
- go to uploader and upload this php file
- go to the media manager and click on the php file or open from the direct link
- http://demos4.softaculous.com/FlatPresseidiiohclz/admin.php?p=uploader&action=mediamanager
- http://demos4.softaculous.com/FlatPresseidiiohclz/fp-content/attachs/test.php
- Php RCE!
if you need more specific information, feel free to contact me.
Proof of Concept
test<?php phpinfo(); ?>
Impact
Successful exploitation of PHP file inclusion may result in information disclosure or compromise of the vulnerable system. A remote attacker can read and write files or execute arbitrary code on the target system with privileges of the web server. In this case we can do all of this things.