This module exploits an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by the .htaccess file not preventing the execution of .pht, .phar, and .xhtml files. Files with these extensions are not included in the .htaccess blacklist, hence these files can be uploaded and executed to achieve remote code execution. In this module, a .phar file with a randomized name is uploaded and executed to receive a Meterpreter session on the target, then deletes itself afterwards.
PHP
php
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/subrion_cms_file_upload_rce
msf exploit(subrion_cms_file_upload_rce) > show targets
...targets...
msf exploit(subrion_cms_file_upload_rce) > set TARGET < target-id >
msf exploit(subrion_cms_file_upload_rce) > show options
...show and set options...
msf exploit(subrion_cms_file_upload_rce) > exploit
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security