SMF is now exploitable

rambo · Post by **rambo** » 23 Dec 2007, 04:34

0day SMF discovered by The-Dark_Man && Nexen --->Italian Bug Hunter <---

Translated in english by cybermilitant

Note:The bug is pubblic

This is a dangerous bug because many upload system are affected, whit this bug you can upload a phpshell bypassing the restrictions.

Begin:
Prepare your shell (like c99 or nexpl0rer).
Rename it as shell.php.zip (advertence: You mustn't put the shell in an archive but you must only rename it!).
After upload it intermediary upload's attachments of SMF.
Now, if you are lucky, and the admin haven't enabled the opction encrypt filenames, you will find your phpshell here:
http://victim/path/attachments/shell.php.zip

Discovered by The-Dark_Man && NexeN

Enjoy
Rambo

Post by **Big-E** » 23 Dec 2007, 10:32

Thanks rambo, I may look further into this and post my findings.

mo2332 · Post by **mo2332** » 23 Dec 2007, 13:04

any u mind takingavideo on how to use it

?

Post by **Big-E** » 23 Dec 2007, 13:06

He just told you how to use it, just read his post and do some research.

mo2332 · Post by **mo2332** » 23 Dec 2007, 13:08

Prepare your shell (like c99 or nexpl0rer). ?

Post by **Big-E** » 23 Dec 2007, 13:12

Do the following:

www.google.com > type shell + c99 (or nexpl0rer) > search

Then read all the skiddie tutorials on the aforementioned.

mo2332 · Post by **mo2332** » 23 Dec 2007, 13:22

ty

u are the l33t. But cloud not find any tuts:(

Post by **Big-E** » 23 Dec 2007, 13:25

That does not make me 'l337' it makes me a human capable of doing very un-complex searches for useless information of which have no applicable use other than to be a nuisance to people browsing the internet. Again, people using this exploit are idiots who use skiddie tactics, calling themselves hackers.

mo2332 · Post by **mo2332** » 23 Dec 2007, 13:26

i just want to know o how to use it for knowladge

Post by **Big-E** » 23 Dec 2007, 13:29

If you want something to do, I suggest reading up on the TCP/IP protocol, OSI Model and various other networking topics. Then, if you where to learn a programming language, you could write your own P-O-C exploits and be a real hacker, much like many of us here strive to be.

mo2332 · Post by **mo2332** » 23 Dec 2007, 13:30

before i can do that i need to knw how it works btw im exploting my site so no harm done.

isapiens · Post by **isapiens** » 23 Dec 2007, 14:19

well i didnt know whats c99, so this is what i typed in google

Code: Select all

c99 shell

And it gave me the info i needed

Btw, i didnt know whats smf either. Its a forum building software correct? (stands for simple machine smth..)

So, anyway, about the exploit... So the only thing you have to do is give the php file a fake zip extension?

Post by **bad_brain** » 24 Dec 2007, 13:49

http://en.wikipedia.org/wiki/Remote_File_Inclusion

rhysh · Post by **rhysh** » 24 Dec 2007, 19:53

ok this doesnt really surprise me
now alot of you will find uploaders disable .php extenshions to be uploaded
now whats say you want to upload a shell
but .php and.asp is disbaled
but they have enabled .zip .rar .gif .jpg and so on
now you rename it making sure you have .php as the first extension
eg

shel.php
rename to shel.php.rar
or try
shel.php.zip
shel.php.gif
shel.php.jpg

there are many diferent filetypes
loook them up
but when you upload your shell as .php.rar or something the file is opened as its format now as extension
now your standard shell will be text/html format so the server executes it as that

some admins choose to make it auto rename to
whats say
y4h7h5frj4h78kz7s0n1c0n1.html
thats encrypted and automaticly executed as html code
useless to you

hope this helps
but many sites i have shells on i have used this trick on an uploader
enjoy

rambo · Post by **rambo** » 25 Dec 2007, 23:44

Im not being nasty or anything mo2332 but if you do not know or understand how to use it.. Don't touch it..

Newbs often screw up their computers by not knowing how to do something and just self-experimneting.