CVE-2008-6608

DevelopItEasy Events Calendar 1.2 - SQL Injection via User Name, User Pass, or ID Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6608. PoCs published by InjEctOr5.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in Events Calendar v1.2, allowing an attacker to extract user credentials from the 'login' table via a UNION-based attack. It also includes an authentication bypass technique using SQL injection in the admin login.

Description

Multiple SQL injection vulnerabilities in DevelopItEasy Events Calendar 1.2 allow remote attackers to execute arbitrary SQL commands via (1) the user_name parameter (aka user field) to admin/index.php, (2) the user_pass parameter (aka pass field) to admin/index.php, or (3) the id parameter to calendar_details.php. NOTE: some of these details are obtained from third party information.

Exploits (1)

exploitdb WORKING POC VERIFIED

by InjEctOr5 · textwebappsphp

https://www.exploit-db.com/exploits/7013

View Code ZIP pw:eip

This exploit demonstrates a SQL injection vulnerability in Events Calendar v1.2, allowing an attacker to extract user credentials from the 'login' table via a UNION-based attack. It also includes an authentication bypass technique using SQL injection in the admin login.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Events Calendar v1.2

No auth needed

Prerequisites: Access to the vulnerable web application

MITRE ATT&CK