affected product: GetSimpleCMS CE

version: 3.3.19.

First, go to the backend management page and click on the plugins button, and click ‘Download more pulgins’.

image.png

the function point ‘Download’ suffers from SSRF vulnerability.

image.png

create a new file ‘maa.php’, it’s contents are as follows:

image.png

put it into folder ‘test’ , and zip the ‘test’ folder

image.png

image.png

start python’s http server, change the paramater to enable the server download our ‘test’ plugin

image.png

visit admin/plugins.php to see the newly installed plugin

image.png

Make it active and refresh the page

Success rce

image.png