module
Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE
| Disclosed | Created |
|---|---|
| 2018-11-04 | 2023-08-03 |
Disclosed
2018-11-04
Created
2023-08-03
Description
This module exploits an authenticated file upload vulnerability in
Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by
the .htaccess file not preventing the execution of .pht, .phar, and
.xhtml files. Files with these extensions are not included in the
.htaccess blacklist, hence these files can be uploaded and executed
to achieve remote code execution. In this module, a .phar file with
a randomized name is uploaded and executed to receive a Meterpreter
session on the target, then deletes itself afterwards.
Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by
the .htaccess file not preventing the execution of .pht, .phar, and
.xhtml files. Files with these extensions are not included in the
.htaccess blacklist, hence these files can be uploaded and executed
to achieve remote code execution. In this module, a .phar file with
a randomized name is uploaded and executed to receive a Meterpreter
session on the target, then deletes itself afterwards.
Authors
Hexife
Fellipe Oliveira
Ismail E. Dawoodjee
Fellipe Oliveira
Ismail E. Dawoodjee
Platform
PHP
Architectures
php
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.