Home / os / winmobile

WordPress Appointment Booking Calendar 1.1.24 SQL Injection

Posted on 29 January 2016

# Exploit Title: WordPress appointment-booking-calendar <=1.1.24 - SQL injection through ´addslashes´ (wordpress ´wp_magic_quotes´ function) # Date: 2016-01-28 # Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/ # Exploit Author: Joaquin Ramirez Martinez [now i0 security-lab] # Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form # Vendor: CodePeople.net # Vebdor URI: http://codepeople.net # Version: 1.1.24 # OWASP Top10: A1-Injection # Tested on: windows 10 + firefox + sqlmap 1.0. =================== PRODUCT DESCRIPTION =================== "Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in a calendar**. The booking form is linked to a **PayPal** payment process. You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings that can be accepted for each time-slot." (copy of readme file) ====================== EXPLOITATION TECHNIQUE ====================== remote ============== SEVERITY LEVEL ============== critical ================================ TECHNICAL DETAILS && DESCRIPTION ================================ A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.24. The flaw were found in the function that is executed when the action ´cpabc_appointments_calendar_update´ is called. The action is added with ´init´ tag, so it function is called every time when parameter ´action=cpabc_appointments_calendar_update´ appear in the query string (GET request) or POST request. Exploiting succesful this vulnerability we need a vulnerable wordpress site with especial character set for to bypass the ´addslashes´ function (called automatically and applied in all variables $_POST and $_GET by wordpress ´wp_magic_quotes´ function) and we need own a calendar too (could be owned by privilege escalation) or be a user with ´edit_pages´ permission (admin|editor). The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, an attacker can compromise the entire web server. ================ PROOF OF CONCEPT ================ An unauthenticated attacker can make a request like... http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=cpabc_appointments_check_posted_data &cpabc_calendar_update=1&id=<owned calendar id> Example: Exploiting simple SQL injection: http://localhost/wordpress/wp-admin/admin-ajax.php?action=cpabc_appointments_calendar_update &cpabc_calendar_update=1&id=1 Post data: specialDates=&workingDates&restrictedDates&timeWorkingDates0&timeWorkingDates1&timeWorkingDates2 &timeWorkingDates3&timeWorkingDates4&timeWorkingDates5& imeWorkingDates6 All post variables are vulnerable to SQLi with ´addslashes´ bypass. =============== VULNERABLE CODE =============== located in ´cpabc_appointments.php´ function cpabc_appointments_calendar_update() { global $wpdb, $user_ID; if ( ! isset( $_GET['cpabc_calendar_update'] ) || $_GET['cpabc_calendar_update'] != '1' ) return; $calid = intval(str_replace (CPABC_TDEAPP_CAL_PREFIX, "",$_GET["id"])); if ( ! current_user_can('edit_pages') && !cpabc_appointments_user_access_to($calid) ) return; echo "sa"; cpabc_appointments_add_field_verify(CPABC_TDEAPP_CONFIG, 'specialDates'); //@ob_clean(); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Pragma: no-cache"); if ( $user_ID ) $wpdb->query("update ".CPABC_TDEAPP_CONFIG." set specialDates='".$_POST["specialDates"]."',".CPABC_TDEAPP_CONFIG_WORKINGDATES."='" .$_POST["workingDates"]."',".CPABC_TDEAPP_CONFIG_RESTRICTEDDATES."='".$_POST["restrictedDates"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES0. "='".$_POST["timeWorkingDates0"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES1."='".$_POST["timeWorkingDates1"]."',". CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES2."='".$_POST["timeWorkingDates2"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES3."='" .$_POST["timeWorkingDates3"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES4."='".$_POST["timeWorkingDates4"]."'," .CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES5."='".$_POST["timeWorkingDates5"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES6 ."='".$_POST["timeWorkingDates6"]."' where ".CPABC_TDEAPP_CONFIG_ID."=".$calid); exit(); } =========== Note: cpabc_appointments_calendar_update2() function is vulnerable too by the same exploit explaned here. ========== CREDITS ========== Vulnerability discovered by: Joaquin Ramirez Martinez [i0 security-lab] strparser[at]gmail[dot]com https://www.facebook.com/I0-security-lab-524954460988147/ https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q ======== TIMELINE ======== 2016-01-08 vulnerability discovered 2016-01-24 reported to vendor 2016-01-27 released plugin version 1.1.25 2016-01-28 public disclousure

 

TOP