SubrionCMS 4.2.1 Authenticated Remote Code Execution
- /panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
- Windows/Linux:
$ sudo python3 subrionRCE.py -u http://IP/panel/ -l <user> -p <password>
