-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathREADME.smf-server
21 lines (17 loc) · 991 Bytes
/
README.smf-server
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Do the following on the smf-server to introduce the vulnerability.
> scp vulns/{smf_injection,smf_install_injection}.php root@smf-server:/var/www/lighttpd/forum
> ssh root@smf-server 'php /var/www/lighttpd/forum/smf_install_injection.php'
The first line copies two files to the server. One is a small installation script.
The other is the vulnerability. The vulnerability is invoked everytime a theme is loaded,
which is, I'm pretty sure, on every page. The installation script registers the
vulnerability function as an SMF integration callback function.
In order to allow single and double quotes in URLs passsed to the SMF application,
you need to disable checking for it. There may be a GUI way to do it, but we just
update the configuration tables in the database directly.
on smf-server:
> su - postgres
> psql injection
> insert into smf_settings values ('disableQueryCheck', 1);
> ^D # logout of psql
> ^D # logout of postgres owned shell
> service lighttpd restart