2d5885c58b
5 changes to exploits/shellcodes 2345 Security Guard 3.7 - '2345NsProtect.sys' Denial of Service FxCop 10/12 - XML External Entity Injection Microsoft Windows FxCop 10/12 - XML External Entity Injection Apple Safari 3.2.x - 'XXE' Local File Theft Apple Safari 3.2.x - XML External Entity Local File Theft Open-AudIT Community - 2.2.0 – Cross-Site Scripting Open-AudIT Community 2.2.0 - Cross-Site Scripting Monstra CMS 3.0.4 - Remote Code Execution XATABoost 1.0.0 - SQL Injection Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell Shellcode (96 Bytes)
23 lines
No EOL
806 B
Text
23 lines
No EOL
806 B
Text
# Exploit Title: Monstra CMS 3.0.4 Upload Plugin Remote code execution CVE-2018-9037
|
|
# Date: 2018-05-14
|
|
# Exploit Author: Jameel Nabbo
|
|
# Vendor Homepage: https://github.com/monstra-cms/monstra
|
|
# Software Link: https://github.com/monstra-cms/monstra
|
|
# Version: 3.0.4
|
|
# Tested on: MAC OSX
|
|
# CVE :CVE-2018-9037
|
|
|
|
|
|
Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file,
|
|
which is automatically extracted and may contain .php files.
|
|
|
|
|
|
Steps to Reproduce
|
|
1: Log in as a user with page editing permissions
|
|
2: Upload a plugin archive containing php webshell code
|
|
3: After successful upload we can execute the command.
|
|
|
|
Then go to: http://127.0.0.1/plugins/{Name_Of_Zip_File_You_Uploaded}/{File_In_Zip}.php
|
|
|
|
Solution
|
|
Filter plugin content during plugin upload |