cbcvebase.
CVE-2005-4891
published 2020-01-15

CVE-2005-4891: Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL injection vulnerability that allows remote attackers to inject arbitrary SQL statements.

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.76%
75.1th percentile
Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL injection vulnerability that allows remote attackers to inject arbitrary SQL statements.

Affected

2 ranges
VendorProductVersion rangeFixed in
simple_machine_forumsimple_machine_forum
simplemachinessimple_machine_forum<= 1.0.4

Detection & IOCsextracted from sources · hover to see the quote

uaSMF Hash Grabber v1.0
command%20UNION%20SELECT%20memberName,0,passwd,0,0%20FROM%20smf_members%20WHERE%20ID_MEMBER=
url/index.php?action=login2
  • Look for URL-encoded UNION SELECT payloads in the `msg` parameter of SMF index.php requests, specifically targeting the smf_members table to extract memberName and passwd fields.
  • Detect the exploit's characteristic User-Agent string 'SMF Hash Grabber v1.0' in HTTP request logs.
  • Monitor for the `sesc` session token (32-char hex) being extracted and reused across requests — the exploit replaces the sesc parameter to bypass CSRF protection before issuing the injected modify-post request.
  • Flag HTTP GET requests to index.php containing both a `msg` parameter and URL-encoded UNION SELECT … FROM smf_members patterns, indicating SQL injection via the modify-post action.
  • ·The SQL injection payload assumes the SMF database table prefix is `smf_` (i.e., `smf_members`). Installations using a custom table prefix will require a modified payload; detections hard-coded to this table name may miss such variants.
  • ·The login-success detection heuristic is based on response content length being less than 1024 bytes; modded SMF installs may alter this behaviour and cause the exploit script to fail at the authentication step.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.