This module exploits an arbitrary file upload vulnerability in
MaraCMS 7.5 and prior in order to execute arbitrary commands.
The module first attempts to authenticate to MaraCMS. It then tries
to upload a malicious PHP file to the web root via an HTTP POST
request to `codebase/handler.php.` If the `php` target is selected,
the payload is embedded in the uploaded file and the module attempts
to execute the payload via an HTTP GET request to this file. For the
`linux` and `windows` targets, the module uploads a simple PHP web
shell similar to ``. Subsequently, it
leverages the CmdStager mixin to deliver the final payload via a
series of HTTP GET requests to the PHP web shell.
Valid credentials for a MaraCMS `admin` or `manager` account are
required. This module has been successfully tested against MaraCMS
7.5 running on Windows Server 2012 (XAMPP server).
- Michele Cisternino
- Erik Wynter
x86, x64, php