CMS Made Simple Authenticated RCE via File Upload/Copy
CMS Made Simple allows an authenticated administrator to upload a file and rename it to have a .php extension. The file can then be executed by opening the URL of the file in the /uploads/ directory. This module has been successfully tested on CMS Made Simple versions 2.2.5 and 2.2.7.
- Mustafa Hasen
- Jacob Robles
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/cmsms_upload_rename_rce msf exploit(cmsms_upload_rename_rce) > show targets ...targets... msf exploit(cmsms_upload_rename_rce) > set TARGET <target-id> msf exploit(cmsms_upload_rename_rce) > show options ...show and set options... msf exploit(cmsms_upload_rename_rce) > exploit