module

FlexDotnetCMS Arbitrary ASP File Upload

Try Surface Command
Back to search
Disclosed
2020-09-28
Created
2020-12-08

Description

This module exploits an arbitrary file upload vulnerability in
FlexDotnetCMS v1.5.8 and prior in order to execute arbitrary
commands with elevated privileges.

The module first tries to authenticate to FlexDotnetCMS via an HTTP
POST request to `/login`. It then attempts to upload a random TXT
file and subsequently uses the FlexDotnetCMS file editor to rename
the TXT file to an ASP file. If this succeeds, the target is
vulnerable and the ASP file is generated as a copy of the TXT file,
which remains on the server.

Next, the module sends another request to rename the TXT file to an
ASP file, this time adding the payload. Finally, the module tries
to execute the ASP payload via a simple HTTP GET request to
`/media/uploads/asp_payload`

Valid credentials for a FlexDotnetCMS user with permissions to use
the FileManager are required. This module has been successfully
tested against FlexDotnetCMS v1.5.8 running on Windows Server 2012.

Author

Erik Wynter

Platform

Windows

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/windows/http/flexdotnetcms_upload_exec
    msf exploit(flexdotnetcms_upload_exec) > show targets
        ...targets...
    msf exploit(flexdotnetcms_upload_exec) > set TARGET < target-id >
    msf exploit(flexdotnetcms_upload_exec) > show options
        ...show and set options...
    msf exploit(flexdotnetcms_upload_exec) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today