In SemanticDrilldown current master 044614d there is a SQL injection through:
- the GET parameter "_cat" in the special page Special:BrowseData
- read in class SDBrowseData here, passed to the object SDBrowseDataPage here
- saved in property category in object SDBrowseDataPage here
- transmitted in SDBrowseData::printAppliedFilterLine() to SDAppliedFilter::getAllOrValues() here
- injected in the SQL request in SDAppliedFilter::getAllOrValues() here
The method DBrowseData::printAppliedFilterLine() is used to display the SMW values when a SMW property value is selected.
An example of URL is /Special:BrowseData?SomeProperty=SomeValue&_cat=SomeCategory'_OR_''='. The category SomeCategory'_OR_''=' has to exist on the wiki and the result is that the WHERE is bypassed and more values than requested are displayed.
Possibly more harmful SQL queries could be created, but it is limited by existing escaping '_' → ' ' (preventing use of all columns and tables containing an underscore) and the two remaining lines in the original SQL query (preventing easy use of SQL comments “--” since these two lines must be integrated in some SQL request to avoid a global SQL error).
I found this SQLi with phan-taint-check-plugin.
Affiliation: Wiki Valley