Monstra CMS 3.0.4 Remote Shell Upload

Monstra CMS version 3.0.4 suffers from a remote shell upload vulnerability that allows for remote code execution.

MD5 | 232ceeef3d1b599e0679a64c3c4ba7f7

Exploit Title: Monstra CMS - 3.0.4 RCE
Vendor Homepage:
Software Link:
Discovered by: Ishaq Mohammed
Category: webapps
Platform: PHP
Advisory Link:


MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to a
remote command execution on the remote server.

Vulnerable Code:
line 19:

public static function main()
// Array of forbidden types
$forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht',
'php', 'phtml', 'php3', 'php4', 'php5',
'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh',
'ksh', 'bsh', 'c', 'htaccess', 'htpasswd',
'exe', 'scr', 'dll', 'msi', 'vbs', 'bat',
'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty');

Proof of Concept
Steps to Reproduce:

1. Login with a valid credentials of an Editor
2. Select Files option from the Dropdown menu of Content
3. Upload a file with PHP (uppercase)extension containing the below code:





4. Click on Upload
5. Once the file is uploaded Click on the uploaded file and add ?cmd= to
the URL followed by a system command such as whoami,time,date etc.

Recommended Patch:
We were not able to get the vendor to respond in any way, the software
appears to have been left abandoned without support a though this is not an
official status on their site (last official patch was released on
2012-11-29), the github appears a bit more active (last commit from 2 years

The patch that addresses this bug is available here:

Best Regards,
Ishaq Mohammed

Related Posts