first commit

cmsms/CVE-2021-26120/README.md

@@ -0,0 +1,42 @@
+# CMS Made Simple (CMSMS) Unauthenticated Remote Code Execution (CVE-2019-9053/CVE-2021-26120)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+CMS Made Simple (CMSMS) is a free, open source content management system to provide developers, programmers and site owners a web-based development and administration area.
+
+Smarty before 3.1.39 allows code injection via an unexpected function name after a `{function name=` substring, CVE-2021-26120 was assigned to this issue.
+
+CMS Made Simple version <= 2.2.15, a user that is authenticated with designer permissions can trigger a server side template injection, the CVE-2021-26120 mentioned above.
+
+So, if the CMSMS version is prior to 2.2.9.1, unauthencated attacker is able to chain [CVE-2019-9053](https://github.com/vulhub/vulhub/tree/master/cmsms/CVE-2019-9053) and CVE-2021-26120 to execute arbitrary code in the server.
+
+References:
+
+- <https://srcincite.io/pocs/cve-2021-26120.py.txt>
+- <https://www.exploit-db.com/exploits/46635>
+
+## Vulnerable Environment
+
+Execute following command to start a CMS Made Simple 2.2.9.1:
+
+```
+docker compose up -d
+```
+
+After the server is started, you should install the CMS at `http://your-ip/install.php`.
+
+Following the install instructions to install the CMSMS, MySQL database address is `db`, database name is `cmsms`, username and password are both `root`.
+
+![](1.png)
+
+## Exploit
+
+Use the [POC](poc.py) inside the <https://srcincite.io/pocs/cve-2021-26120.py.txt> to reset the administrator password and execute arbitrary commands:
+
+```
+python poc.py 127.0.0.1 / id
+```
+
+![](2.png)
+
+As you can see, `id` command has been executed.