Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload.
This Metasploit module exploits an arbitrary file upload vulnerability and achieves remote code execution in the Monitorr application Using a specially crafted request, custom PHP code can be uploaded and injected through endpoint uploadphp because of missing input validation Any user privileges can exploit this vulnerability and it results in a ...
This module exploits an arbitrary file upload vulnerability and achieving an RCE in the Monitorr application
Using a specially crafted request, custom PHP code can be uploaded and injected through endpoint uploadphp because of missing input validation
Any user privileges can exploit this vulnerability and it results in access ...
This module exploits an arbitrary file upload vulnerability and achieving an RCE in the Monitorr application.
Using a specially crafted request, custom PHP code can be uploaded and injected through endpoint upload.php because of missing input validation.
Any user privileges can exploit this vulnerability and it results in access to the underlying operating system with the same privileges
under which the web services run (typically user www-data).
Monitorr 1.7.6m, 1.7.7d and below are affected.
msf > use exploit/multi/http/monitorr_webshell_rce_cve_2020_28871
msf exploit(monitorr_webshell_rce_cve_2020_28871) > show targets
...targets...
msf exploit(monitorr_webshell_rce_cve_2020_28871) > set TARGET < target-id >
msf exploit(monitorr_webshell_rce_cve_2020_28871) > show options
...show and set options...
msf exploit(monitorr_webshell_rce_cve_2020_28871) > exploit
Vulmon