Become a patron and gain access to the dashboard, Schedule scans, API and Search patron
"MonoCMS Blog 1.0 - Arbitrary File Deletion (Authenticated)"
Author
"Shahrukh Iqbal Mirza"
Platform
php
Release date
2020-10-01
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | # Exploit Title: MonoCMS Blog 1.0 - Arbitrary File Deletion (Authenticated) # Date: 2020-09-20 # Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24) # Vendor Homepage: https://monocms.com/download # Software Link: https://monocms.com/download # Version: 1.0 # Tested On: Windows 10 (XAMPP) # CVE: N/A Proof of Concept: 1. In the upload images page, make a request to delete an already uploaded image. If no image present, upload an image and then make a request to delete that image. 2. Notice the Request URL <ip>/base_path_to_cms/uploads?delimg=../../../../../Temp/Copy.txt This deletes the file ‘copy.txt’ from C:\Temp 3. Use simple directory traversals to delete arbitrary files. Note: php files can be unlinked and not deleted. =========================================================================================================================== ########################################################################################################################### =========================================================================================================================== # Exploit Title: MonoCMS Blog - Account Takeover (CSRF) # Date: September 29th, 2020 # Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24) # Vendor Homepage: https://monocms.com/download # Software Link: https://monocms.com/download # Version: 1.0 # Tested On: Windows 10 (XAMPP) # CVE: CVE-2020-25986 Proof of Concept: Login using a test user (attacker). Make a password change request, and enter a new password and then intercept the request (in BurpSuite). Generate a CSRF PoC. Save the HTML code in an html file. Login as another user (victim), open the CSRF-PoC html file, and click on submit request. Victim user’s password will be changed. =========================================================================================================================== ########################################################################################################################### =========================================================================================================================== # Exploit Title: MonoCMS Blog - Sensitive Information Disclosure (Hardcoded Credentials) # Date: September 29th, 2020 # Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24) # Vendor Homepage: https://monocms.com/download # Software Link: https://monocms.com/download # Version: 1.0 # Tested On: Windows 10 (XAMPP) # CVE: CVE-2020-25987 Proof of Concept: Hard-coded admin and user hashes can be found in the “log.xml” file in the source-code files for MonoCMS Blog. Hash type is bcrypt and hashcat mode 3200 can be used to crack the hash. |
| Release Date | Title | Type | Platform | Author |
|---|---|---|---|---|
| 2020-12-02 | "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Add Artwork" | webapps | multiple | "Shahrukh Iqbal Mirza" |
| 2020-12-02 | "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" | webapps | multiple | "Shahrukh Iqbal Mirza" |
| 2020-10-01 | "MonoCMS Blog 1.0 - Arbitrary File Deletion (Authenticated)" | webapps | php | "Shahrukh Iqbal Mirza" |
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48848/?format=json')
For full documentation follow the link above