CVE-2018-17418 PoC — Monstra CMS 安全漏洞

Source

https://github.com/Jx0n0/monstra_cms-3.0.4--getshell

Associated Vulnerability

Title:Monstra CMS 安全漏洞 (CVE-2018-17418)
Description:Monstra CMS是乌克兰Sergey Romanenko软件开发者的一套基于PHP的轻量级内容管理系统（CMS）。 Monstra CMS 3.0.4版本中存在安全漏洞，该漏洞源于pluginsoxfilesmanagerfilesmanager.admin.php文件错误地处理了forbidden_types变量。远程攻击者可借助扩展名中带有大小写的文件名利用该漏洞执行任意PHP代码。

Description

monstra_cms-3.0.4-上传getshell  CVE-2018-17418

Readme

# monstra_cms-3.0.4--getshell
monstra_cms-3.0.4-上传getshell CVE- 2018-17418

代码分析（Code analysis）：

在monstra\plugins\box\filesmanager\ filesmanager.admin.php第150行中存在forbidden_types变量做黑名单限制，继续跟进该变量

In the line 150 of monstra\plugins\box\filesmanager\ filesmanager.admin.php, there is a forbidden_types variable to be blacklisted. Continue to follow the variable.

![Alt text](5.png) 

在同文件第22行发现相关黑名单名单，可以利用大小写绕过。

The list of related blacklists found on line 22 of the same document can be bypassed by capitalization.

 ![Alt text](6.png) 

实际演示（Actual demonstration）：

Content栏下Files功能存在上传按钮

The Upload function exists in the Files function under the Content column.

![Alt text](1.png) 

使用burp拦截数据包，修改后缀为PhP

Use burp to intercept the packet and modify the suffix to PhP.

![Alt text](2.png) 

上传成功

Successful upload

![Alt text](3.png) 

菜刀链接

use Chopper link it

![Alt text](4.png)

File Snapshot


 [4.0K]  /data/pocs/f31c6599d4a6a78f2ccb1eb887c1a4e27a0db78b
├── [ 55K]  1.png
├── [166K]  2.png
├── [ 18K]  3.png
├── [ 83K]  4.png
├── [ 81K]  5.png
├── [ 36K]  6.png
└── [1.1K]  README.md

0 directories, 7 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!