Summary:
A Remote Command Execution vulnerability on the background in CMS Made Simple 2.2.15
Detailed Description:
A Remote Command Execution vulnerability on the background in CMS Made Simple
2.2.15, at the upload avatar function,
Upload an image containing malicious php code and then change the image
extension to a php file by using the copy function
eventually leads to remote code execution.
Steps to exploit:
1)login as admin http://localhost/admin/moduleinterface.php click 'content' >
'File Manager' > then upload an image containing malicious php code:
payload: phpinfo.png
content of phpinfo.png :
<script language="php"> phpinfo(); </script>
2)use 'copy' function to copy phpinfo.png set 'Target File name' to
phpinfo.php clink 'copy'
3)open the link of phpinfo.php and php code will be
triggered:http://localhost/uploads/phpinfo.php