Rapid7 Vulnerability & Exploit Database

FlexDotnetCMS Arbitrary ASP File Upload

Back to Search

FlexDotnetCMS Arbitrary ASP File Upload

Disclosed
09/28/2020
Created
12/08/2020

Description

This module exploits an arbitrary file upload vulnerability in FlexDotnetCMS v1.5.8 and prior in order to execute arbitrary commands with elevated privileges. The module first tries to authenticate to FlexDotnetCMS via an HTTP POST request to `/login`. It then attempts to upload a random TXT file and subsequently uses the FlexDotnetCMS file editor to rename the TXT file to an ASP file. If this succeeds, the target is vulnerable and the ASP file is generated as a copy of the TXT file, which remains on the server. Next, the module sends another request to rename the TXT file to an ASP file, this time adding the payload. Finally, the module tries to execute the ASP payload via a simple HTTP GET request to `/media/uploads/asp_payload` Valid credentials for a FlexDotnetCMS user with permissions to use the FileManager are required. This module has been successfully tested against FlexDotnetCMS v1.5.8 running on Windows Server 2012.

Author(s)

  • Erik Wynter

Platform

Windows

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/http/flexdotnetcms_upload_exec
msf exploit(flexdotnetcms_upload_exec) > show targets
    ...targets...
msf exploit(flexdotnetcms_upload_exec) > set TARGET < target-id >
msf exploit(flexdotnetcms_upload_exec) > show options
    ...show and set options...
msf exploit(flexdotnetcms_upload_exec) > exploit

Metasploit

Penetration testing software for offensive security teams.
Key Features
Free Metasploit Pro Trial View All Features

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;