module
MaraCMS Arbitrary PHP File Upload
| Disclosed |
|---|
| Aug 31, 2020 |
Disclosed
Aug 31, 2020
Description
This module exploits an arbitrary file upload vulnerability in
MaraCMS 7.5 and prior in order to execute arbitrary commands.
The module first attempts to authenticate to MaraCMS. It then tries
to upload a malicious PHP file to the web root via an HTTP POST
request to `codebase/handler.php.` If the `php` target is selected,
the payload is embedded in the uploaded file and the module attempts
to execute the payload via an HTTP GET request to this file. For the
`linux` and `windows` targets, the module uploads a simple PHP web
shell similar to ``. Subsequently, it
leverages the CmdStager mixin to deliver the final payload via a
series of HTTP GET requests to the PHP web shell.
Valid credentials for a MaraCMS `admin` or `manager` account are
required. This module has been successfully tested against MaraCMS
7.5 running on Windows Server 2012 (XAMPP server).
MaraCMS 7.5 and prior in order to execute arbitrary commands.
The module first attempts to authenticate to MaraCMS. It then tries
to upload a malicious PHP file to the web root via an HTTP POST
request to `codebase/handler.php.` If the `php` target is selected,
the payload is embedded in the uploaded file and the module attempts
to execute the payload via an HTTP GET request to this file. For the
`linux` and `windows` targets, the module uploads a simple PHP web
shell similar to ``. Subsequently, it
leverages the CmdStager mixin to deliver the final payload via a
series of HTTP GET requests to the PHP web shell.
Valid credentials for a MaraCMS `admin` or `manager` account are
required. This module has been successfully tested against MaraCMS
7.5 running on Windows Server 2012 (XAMPP server).
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.