PicoPublisher v2.0 Remote SQL injection and repair

Title: PicoPublisher v2.0 Remote SQL injection
Author: ZeTH www.2cto.com zeth/at/hacktheplan8/dot/com
Developer: Pico Software http://pico.no/
Affected Versions: 2.0
Price: $29,00
:::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::::::::::::
-- [1] -- Introduction
PicoPublisher business software
PicoPublisher is a product from Pico Software
 
[Manage Your Website]
 
PicoPublisher makes it easy to manage your website. With the built in
Templates you can add columns, slideshows, tabs, boxes and videos
Directly from the text editor.
 
[M manage your customers]
 
CRM systems are often too expensive for small businesses.
PicoPublisher you can manage your MERs just as easy as your
Website. And at the same place!
 
[Create invoices]
 
Create professional PDF invoices in seconds. Add products to
Database and insert products to the invoice directly. You will get
Restrictions when invoices are overdue.
 
 
-- [2] -- defect description
Page:
[+] Page. php
[+] Single. php
 
Attack method: Remote SQL injection
 
POC:
[+] Http://www.bkjia.com/page. php? Id = SQLi
[+] Http://www.bkjia.com/single. php? Id = SQLi
 
Tables:
 
+ ------------------- +
| MERs
| Expenses
| Gallery_category
| Gallery_photos
| Invoice_reminders
| Invoices
| Invoices_product
| Menu_items
| Menus
| Notes
| Options
| Orders
| Orders_product
| Pages
| Pico_comments
| Pico_config
| Pico_karma_voted
| Posts
| Product_list
| Users
+ ------------------- +
 
-- [3] -- fix:
Enhance the above page filtering