Home / os / wins2003

WordPress Booking Calendar Contact Form 1.0.23 Blind SQL Injection

Posted on 10 February 2016

# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Unauthenticated blind SQL injection # Date: 2016-02-08 # Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form # Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ] # Vendor Homepage: http://wordpress.dwbooster.com/ # Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form # Version: 1.0.23 # Tested on: windows 10 + firefox. ============== Description ============== Create a booking form with a reservation calendar or a classic contact form, connected to a PayPal payment button. With the **Booking Calendar Contact Form** you can create a **classic contact form** or a **booking form with a reservation calendar**, connected to a PayPal payment button. The reservation calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates. The **reservation calendar** is an optional item, so it can be disabled to create a **general purpose contact form**. There are two types of bookings available in the calendar configuration: full day bookings or partial day bookings. With full day bookings the whole day is blocked / reserved while in partial day bookings the start and end dates are partially blocked as used for example in **room/hotel bookings**. =================== Technical details =================== Booking calendar plugin is prone to a blind sql injection because fails to sanitize a parameter used into a sql statement. The function ´dex_bccf_get_option´ uses a variable called ´CP_BCCF_CALENDAR_ID´ which is not sanitized and is used as value for the ´id´ of sql parameter. The vulnerable function is called into many other functions, and one of those is ´dex_bccf_calendar_load2´ which sets the ´CP_BCCF_CALENDAR_ID´ with the following code: "" $calid = str_replace(TDE_BCCFCAL_PREFIX, "", @$_GET["id"]); if (!defined('CP_BCCF_CALENDAR_ID') && $calid != '-1') define('CP_BCCF_CALENDAR_ID', $calid); "" and then the function ´dex_bccf_get_option´ is called into ´dex_bccf_calendar_load2´ function: "" ... $option = dex_bccf_get_option('calendar_overlapped', DEX_BCCF_DEFAULT_CALENDAR_OVERLAPPED); ... "" The ´dex_bccf_calendar_load2´ function is called when we request the next url: http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent &dex_bccf_calendar_load2=list&id=<SQLI commands> A malicious unauthenticated user can exploit the sql injection and obtain all records from database. ================== Proof of concept ================== http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent &dex_bccf_calendar_load2=list&id=1%20and%20sleep(10) ========== CREDITS ========== Vulnerability discovered by: Joaquin Ramirez Martinez [i0 security-lab] joaquin.ramirez.mtz.lab[at]gmail[dot]com https://www.facebook.com/I0-security-lab-524954460988147/ https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q ======== TIMELINE ======== 2016-02-01 vulnerability discovered 2016-02-05 reported to vendor 2016-02-08 released fixed plugin v1.0.24 2016-02-08 public disclosure

 

TOP