Getsimple CMS 3.3.10 - Arbitrary File Upload

ID 1337DAY-ID-25135
Type zdt
Reporter s0nk3y
Modified 2016-06-23T00:00:00


Exploit for php platform in category web applications

                                            # Exploit Title: Getsimple CMS <= 3.3.10 Arbitrary File Upload Vulnerability
# Google Dork: -
# Date: 23/06/2016
# Exploit Author: s0nk3y
# Vendor Homepage:
# Category: webapps
# Software Link:
# Version: 3.3.10
# Tested on: Ubuntu 16.04 / Mozilla Firefox
# Twitter:
# Linkedin: Rahmat Nurfauzi -
GetSimple CMS has been downloaded over 120,000 times (as of March 2013). 
The magazine t3n assigns GetSimple as "micro" and "Minimal-CMS" one, praises 
the simplicity yet possible extensibility through plug-ins.
GetSimpleCMS Version 3.3.10 suffers from arbitrary file upload vulnerability 
which allows an attacker to upload a backdoor.
This vulnerability is that the application uses a blacklist and whitelist 
technique to compare the file against mime types and extensions.
Proof of Concept
For exploiting this vulnerability we will create a file by adding the percent 
behind extension.
1. evil.php% <--- this is simple trick :)
// simple backdoor
2. An attacker login to the admin page and uploading the backdoor
3. The uploaded file will be under the "/data/uploads/" folder
Report Timeline
2016-06-23 : Vulnerability reported to vendor
2016-06-23 : Disclosure

# [2018-02-05]  #