CVE-2020-28871
published 2021-02-10CVE-2020-28871: Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload.
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOIT
Exploited in the wild
EPSS
85.78%
99.7th percentile
Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| monitorr | monitorr | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect multipart POST requests to /assets/php/upload.php with a .php filename but Content-Type: image/gif — hallmark of the CVE-2020-28871 webshell upload bypass. ↗
- →Monitor GET requests to /assets/data/usrimg/*.php — successful exploitation results in a PHP webshell being fetched from this directory. ↗
- →The exploit uses X-Requested-With: XMLHttpRequest and Origin headers alongside the multipart upload; correlate these with the upload.php endpoint for detection. ↗
- →Use Shodan/FOFA favicon hash -211006074 to identify exposed Monitorr instances for proactive asset discovery. ↗
- →The GIF magic bytes prefix 'GIF89a' prepended to PHP payload is used to bypass content-type/magic-byte checks; detect PHP files in usrimg/ starting with GIF89a. ↗
- →Exploitation requires no authentication (unauthenticated); any POST to upload.php from an unauthenticated session should be treated as suspicious. ↗
- ·Affected versions include Monitorr 1.7.6m, 1.7.7d and below — ensure version scope is confirmed before applying detections to avoid false positives on patched instances. ↗
- ·The Nuclei template uses a two-step detection (upload then fetch); a single-step POST detection to upload.php alone may produce false positives from legitimate file upload attempts. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Metasploit
Monitorr unauthenticated Remote Code Execution (RCE)
metasploit
Monitorr unauthenticated Remote Code Execution (RCE)
Monitorr unauthenticated Remote Code Execution (RCE)
This module exploits an arbitrary file upload vulnerability and achieving an RCE in the Monitorr application. Using a specially crafted request, custom PHP code can be uploaded and injected through endpoint upload.php because of missing input validation. Any user privileges can exploit this vulnerability and it results in access to the underlying operating system with the same privileges under which the web services run (typically user www-data). Monitorr 1.7.6m, 1.7.7d and below are affected.
Nuclei
Monitorr 1.7.6m - Unauthenticated Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-28871 [CRITICAL] Monitorr 1.7.6m - Unauthenticated Remote Code Execution
Monitorr 1.7.6m - Unauthenticated Remote Code Execution
Monitorr 1.7.6m is susceptible to a remote code execution vulnerability. Improper input validation and lack of authorization leads to arbitrary file uploads in the web application. An unauthorized attacker with web access to could upload and execute a specially crafted file, leading to remote code execution within the Monitorr.
Template:
id: CVE-2020-28871
info:
name: Monitorr 1.7.6m - Unauthenticated Remote Code Execution
author: gy741
severity: critical
description: Monitorr 1.7.6m is susceptible to a remote code execution vulnerability. Improper input validation and lack of authorization leads to arbitrary file uploads in the web application. An unauthorized attacker with web access to could upload and execute a specially craft
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC is working, but the service could also be used by attackers who want to be sure an exploit is working.
This blog will first introduce the Interactsh tool and how researchers or attackers can leverage it to perform vulnerability validation. We then describe some of the many exploits in the wild leveraging this tool, and we
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Threat Research Center
Threat Research
Cybercrime
## Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Yue Guan
Jin Chen
Leo Olson
Wayne Xin
Daiping Liu
Published: October 14, 2021
Cybercrime
Threat Research
Attack analysis
Exploit
Exploit in the wild
Interactsh
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh . This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC
http://packetstormsecurity.com/files/163263/Monitorr-1.7.6m-Bypass-Information-Disclosure-Shell-Upload.htmlhttp://packetstormsecurity.com/files/170974/Monitorr-1.7.6-Shell-Upload.htmlhttp://packetstormsecurity.com/files/171429/Monitorr-1.7.6m-1.7.7d-Remote-Code-Execution.htmlhttps://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/https://www.exploit-db.com/exploits/48980http://packetstormsecurity.com/files/163263/Monitorr-1.7.6m-Bypass-Information-Disclosure-Shell-Upload.htmlhttp://packetstormsecurity.com/files/170974/Monitorr-1.7.6-Shell-Upload.htmlhttp://packetstormsecurity.com/files/171429/Monitorr-1.7.6m-1.7.7d-Remote-Code-Execution.htmlhttps://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/https://www.exploit-db.com/exploits/48980
2021-02-10
Published
Exploited in the wild