Rapid7 Vulnerability & Exploit Database

FlexDotnetCMS Arbitrary ASP File Upload

Back to Search

FlexDotnetCMS Arbitrary ASP File Upload



This module exploits an arbitrary file upload vulnerability in FlexDotnetCMS v1.5.8 and prior in order to execute arbitrary commands with elevated privileges. The module first tries to authenticate to FlexDotnetCMS via an HTTP POST request to `/login`. It then attempts to upload a random TXT file and subsequently uses the FlexDotnetCMS file editor to rename the TXT file to an ASP file. If this succeeds, the target is vulnerable and the ASP file is generated as a copy of the TXT file, which remains on the server. Next, the module sends another request to rename the TXT file to an ASP file, this time adding the payload. Finally, the module tries to execute the ASP payload via a simple HTTP GET request to `/media/uploads/asp_payload` Valid credentials for a FlexDotnetCMS user with permissions to use the FileManager are required. This module has been successfully tested against FlexDotnetCMS v1.5.8 running on Windows Server 2012.


  • Erik Wynter




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/http/flexdotnetcms_upload_exec
msf exploit(flexdotnetcms_upload_exec) > show targets
msf exploit(flexdotnetcms_upload_exec) > set TARGET < target-id >
msf exploit(flexdotnetcms_upload_exec) > show options
    ...show and set options...
msf exploit(flexdotnetcms_upload_exec) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security