Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE
Description
This module exploits an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by the .htaccess file not preventing the execution of .pht, .phar, and .xhtml files. Files with these extensions are not included in the .htaccess blacklist, hence these files can be uploaded and executed to achieve remote code execution. In this module, a .phar file with a randomized name is uploaded and executed to receive a Meterpreter session on the target, then deletes itself afterwards.
Author(s)
- Hexife
- Fellipe Oliveira
- Ismail E. Dawoodjee
Platform
PHP
Architectures
php
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/subrion_cms_file_upload_rce
msf exploit(subrion_cms_file_upload_rce) > show targets
...targets...
msf exploit(subrion_cms_file_upload_rce) > set TARGET < target-id >
msf exploit(subrion_cms_file_upload_rce) > show options
...show and set options...
msf exploit(subrion_cms_file_upload_rce) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security