CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/multi/http/cmsms_showtime2_rce.md
Views: 1904
Description
This module exploits a File Upload vulnerability that lead in a RCE in Showtime2 module (<= 3.6.2) in CMS Made Simple (CMSMS). An authenticated user with "Use Showtime2" privilege could exploit the vulnerability.
The vulnerability exists in the Showtime2 module, where the class "class.showtime2_image.php" does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).
Tested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0, 3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1 and 2.2.10
Vulnerable Application
Affecting Showtime2 CMS Made Simple (CMSMS) module, version 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0, 3.4.5, 3.4.3, 3.4.2
Verification Steps
Setting up a working installation of CMS Made Simple (CMSMS)
Download Showtime2 module (< 3.6.3)
Log-in to admin panel with the administrator credentials
Go in site admin => Module Manager and import the Showtime2 module
Once the module is uploaded, click on install to install the module
[OPTIONALLY] setting up a new user, assign it to a group and set the Use Showtime2 permissions on group
Start
msfconsoleuse exploit/multi/http/cmsms_showtime2_rceset RHOST <IP>set USERNAME <USERNAME>set PASSWORD <PASSWORD>checkYou should see
The target appears to be vulnerable.exploitYou should get a meterpreter session!
Options
TARGETURI: Path to CMS Made Simple (CMSMS) App installation (“/” is the default)
USERNAME: Username to authenticate with
PASSWORD: Password to authenticate with