Monstra CMS 3.0.4 Remote Shell Upload

Type packetstorm
Reporter Ishaq Mohammed
Modified 2017-12-17T00:00:00


                                            `Exploit Title: Monstra CMS - 3.0.4 RCE  
Vendor Homepage:  
Software Link:  
Discovered by: Ishaq Mohammed  
Category: webapps  
Platform: PHP  
Advisory Link:  
MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to a  
remote command execution on the remote server.  
Vulnerable Code:  
line 19:  
public static function main()  
// Array of forbidden types  
$forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht',  
'php', 'phtml', 'php3', 'php4', 'php5',  
'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh',  
'ksh', 'bsh', 'c', 'htaccess', 'htpasswd',  
'exe', 'scr', 'dll', 'msi', 'vbs', 'bat',  
'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty');  
Proof of Concept  
Steps to Reproduce:  
1. Login with a valid credentials of an Editor  
2. Select Files option from the Dropdown menu of Content  
3. Upload a file with PHP (uppercase)extension containing the below code:  
4. Click on Upload  
5. Once the file is uploaded Click on the uploaded file and add ?cmd= to  
the URL followed by a system command such as whoami,time,date etc.  
Recommended Patch:  
We were not able to get the vendor to respond in any way, the software  
appears to have been left abandoned without support a though this is not an  
official status on their site (last official patch was released on  
2012-11-29), the github appears a bit more active (last commit from 2 years  
The patch that addresses this bug is available here:  
Best Regards,  
Ishaq Mohammed