Bugtraq: Re: Re: Re: [KAPDA::#16]

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Re: Re: [KAPDA::#16] - SMF SQL Injection

From: grudge () securityfocus com, simplemachines () securityfocus com, org () securityfocus com
Date: 13 Dec 2005 23:52:06 -0000

Remember, SMF only shows database syntax errors to administrators anyway, so they would not even see the query string 
itself. All the average user trying this gets is "A database error has occured".

Either way securityfocus have kindly removed the advisory so we're happy.

[quote]
mphhh, correct...
the only problem I see is path disclosure, 'cause you can inject only a one char string:

http://[target]/smfrc1/index.php?action=mlist;sort=realName;start=\;desc

query becomes:

SELECT COUNT(ID_MEMBER) FROM smf_members WHERE LOWER(SUBSTRING(realName, 1, 1)) < '\' AND is_activated = 1

and at screen, you have:

Errore di sintassi nella query SQL vicino a ''\'
AND is_activated = 1' linea 3
File: [full_application_path]Memberlist.php
Line: 162

but I think you cannot inject commands...
[/quote]

By Date By Thread

Current thread:

Re: [KAPDA::#16] - SMF SQL Injection, (continued)
- Re: [KAPDA::#16] - SMF SQL Injection grudge (Dec 10)
  - Re: [KAPDA::#16] - SMF SQL Injection ascii (Dec 12)
- Re: Re: [KAPDA::#16] - SMF SQL Injection retrogod (Dec 12)
- Re: Re: [KAPDA::#16] - SMF SQL Injection polnby (Dec 12)
- Re: Re: [KAPDA::#16] - SMF SQL Injection Steven M. Christey (Dec 12)
- Re: Re: Re: [KAPDA::#16] - SMF SQL Injection grudge (Dec 14)