# Exploit Title: WordPress appointment-booking-calendar <=1.1.23 - Shortcode SQL injection
# Date: 2016-01-24
# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
# Exploit Author: Joaquin Ramirez Martinez [i0 security-lab]
# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.1.23
# OWASP Top10: A1-Injection
# Tested on: windows 10 + firefox + sqlmap 1.0.

===================
PRODUCT DESCRIPTION
===================
"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in 
a calendar**. The booking form is linked to a **PayPal** payment process.

You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings 
that can be accepted for each time-slot."

(copy of readme file)


======================
EXPLOITATION TECHNIQUE
======================
remote

==============
SEVERITY LEVEL
==============

critical

================================
TECHNICAL DETAILS && DESCRIPTION
================================

A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.20.

The flaw was found in the function to run when a shortcode is found within a page in the wordpress site.
The function mentioned use unsanitized attributes and a user authenticated as a editor, autor or 
administrator (compromised) can exploit this vulnerability by adding crafted shortcodes on a page or post.

The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, 
an attacker can compromise the entire web server.

================
PROOF OF CONCEPT
================

An attacker(editor, autor or administrator) can embed into a post the following shortcode...

[CPABC_APPOINTMENT_LIST calendar="-1 or sleep(10)#"]

... and the post will take ten seconds loading.

==========
 CREDITS
==========

Vulnerability discovered by:
  Joaquin Ramirez Martinez [i0 security-lab]
  strparser[at]gmail[dot]com
  https://www.facebook.com/I0-security-lab-524954460988147/
  https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q


========
TIMELINE
========

2016-01-08 vulnerability discovered
2016-01-24 reported to vendor
2016-01-25 released appointment-booking-calendar 1.1.24
2016-01-26 full disclosure