Mara CMS is a open source file based content management system. It is built using HTML5 and CSS3 and is easy to use because of its drag and drop editing feature. The other features include live editing, instant preview, rollback, etc.
Till date, security researcher has found 2 vulnerabilities on Mara CMS. They are Mara CMS contact.php cross site scripting and Mara CMS unrestricted upload.
In this post, I will demonstrate how to exploit a vulnerability “Arbitrary File Upload” vulnerability found in Mara CMS 7.5. The attacker should have a valid credentials either for admin or manger role in order to exploit this vulnerability. The issue is in the codebase/handler.php file where it does not valid the type of file being uploaded and hence an attacker can upload malicious file to the server the execute the same.
In the exploitations’ phase, first we need to enumerate the version and check whether the Mara CMS version is the the one that we are trying to exploit. For that , there can be various ways but to my knowledge , we can check it via changes.txt file as show in below image.
Once we confirm the version, we need to login in to the platform , we can use the default credentials as given on the test file that is admin and changeme. The platform notifies to change the default credentials, but if the administrator of this platform is lazy enough to ignore this message and make the attacker life easier.
Just in case if the credentials are change, the attacker has to find a way to get those by any preferable way. Once the attacker is logged in, it is easy to exploit. Now we will login to the platform using default credentials and go to vulnerable URL. Here we will upload a simple PHP script to run our command. Just in case the PHP system command is disabled, out there there are may other PHP function like exec, passthru, shell_exec which can be used.
Let me quickly upload the PHP file, by default the directory uploaded is img directory but we can specify the ‘/’ which means , the file will be uploaded to the apache directory directly.
Now that we have upload the file, lets run the some command. Since the OS is Linux, I will run Linux command , but if the OS is windows or other OS the subsequent command can be executed.
I have entered ls and we can list the content of the working directory. similary we can upload the php reverse shell to gain access to the system or use the same script to gain reverse shell.
I have the PHP reverse shell ready with me and let me upload it and gain a shell on the system.
And, this way we can gain access to the system. and its completed the demonstration for this issue.
This below video is also made for educational purpose only. If you liked this video give a thumbs up and and also subscribe the channel for more educational video. In case you have any suggestion or queries, kindly post it on the comments section so that I can act on it.
This post is only for educational purposes. All views, information, or content expressed herein are my own and do not represent any entity whatsoever with which I have been, am now, or will be affiliated. Methods described and tools listed herein may now be proven dangerous or even illegal. Any action or activities you take upon the information here is strictly at your own risk and I will not be held responsible for the misuse in any form.
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/
UK +44 20 8089 9944