module

MaraCMS Arbitrary PHP File Upload

Try Surface Command
Back to search
Disclosed
2020-08-31
Created
2020-09-26

Description

This module exploits an arbitrary file upload vulnerability in
MaraCMS 7.5 and prior in order to execute arbitrary commands.

The module first attempts to authenticate to MaraCMS. It then tries
to upload a malicious PHP file to the web root via an HTTP POST
request to `codebase/handler.php.` If the `php` target is selected,
the payload is embedded in the uploaded file and the module attempts
to execute the payload via an HTTP GET request to this file. For the
`linux` and `windows` targets, the module uploads a simple PHP web
shell similar to ``. Subsequently, it
leverages the CmdStager mixin to deliver the final payload via a
series of HTTP GET requests to the PHP web shell.

Valid credentials for a MaraCMS `admin` or `manager` account are
required. This module has been successfully tested against MaraCMS
7.5 running on Windows Server 2012 (XAMPP server).

Authors

Michele Cisternino
Erik Wynter

Platform

Linux,PHP,Windows

Architectures

x86, x64, php

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/multi/http/maracms_upload_exec
    msf exploit(maracms_upload_exec) > show targets
        ...targets...
    msf exploit(maracms_upload_exec) > set TARGET < target-id >
    msf exploit(maracms_upload_exec) > show options
        ...show and set options...
    msf exploit(maracms_upload_exec) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today