Unveiling Vulnerabilities in CMS Made Simple 2.2.5 - RCE (Remote Code Execution)

CMS Made Simple is a Content Management System in general such as joomla, wordpress, drupal, etc. here I will exploit the cms made simple which is found in version 2.2.5, I do this only as a web hacking lab tool, even though the version of cms made simple has reached version 2.2.15 when this article was created.

Here I have done fuzzing using owasp-zap on the login page and get a username and password.

username : root dan password : 20002000

Next, we try to log in and here I conclude that the file upload menu exists, it's just hidden by the developer.

Here I have gotten other information about the version on this cms made simple, namely 2.2.5 which is found on the web footer.

Next, here we will use the exploit that I have obtained from exploitdb.

But here we cannot just directly execute the exploit, my suggestion is to read the source code first. Here I have downloaded the source code / exploit in the form of python source code.

Please change the contents in the exploit script with the example above. if so, we will continue by running the exploit, using the command.

python nameexploit.py

we can see there is an error in the source code as below.

There is an error notifying that the list index out of range, we'll check if the source code

return location.split(csrf_param + "=")[1]

There is a usage error in python2 or not, here I will test with a simple script as shown.

The split function in python is to break text based on its delimiter.

when I test there is no problem using it, it is likely that the token used in the script, previously the source code parameter in the exploit was "__c", it is possible that not all token parameters are the same, here we will try to provide validation to check the name of the token parameter used by the web, by adding a script:

print "[+] String that is being split: " + location

add the following script as shown.

print "[+] String that is being split: " + location

Run the exploit again and it will appear as below:

We get the token parameters which are "_sk_", snow we enter the exploit and change the "csrf_param" section to something like this:

okay we execute now, if it works it will be like below:

If inexploitgin script that has been fixed, you can download the script that I have adjusted whether the target uses https or http, download here.

noted : I did not remove the author who made this script from exploitdb, I only added what was missing, because this is only for learning, I am also still learning, this tutorial is also from the results of learning.