扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 |
# Exploit Title: WordPress appointment-booking-calendar <=1.1.24 - SQL injection through ´addslashes´ (wordpress ´wp_magic_quotes´ function) # Date: 2016-01-28 # Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/ # Exploit Author: Joaquin Ramirez Martinez [now i0 security-lab] # Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form # Vendor: CodePeople.net # Vebdor URI: http://codepeople.net # Version: 1.1.24 # OWASP Top10: A1-Injection # Tested on: windows 10 + firefox + sqlmap 1.0. =================== PRODUCT DESCRIPTION =================== "Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in a calendar**. The booking form is linked to a **PayPal** payment process. You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings that can be accepted for each time-slot." (copy of readme file) ====================== EXPLOITATION TECHNIQUE ====================== remote ============== SEVERITY LEVEL ============== critical ================================ TECHNICAL DETAILS && DESCRIPTION ================================ A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.24. The flaw were found in the function that is executed when the action ´cpabc_appointments_calendar_update´ is called. The action is added with ´init´ tag, so it function is called every time when parameter ´action=cpabc_appointments_calendar_update´ appear in the query string (GET request) or POST request. Exploiting succesful this vulnerability we need a vulnerable wordpress site with especial character set for to bypass the ´addslashes´ function (called automatically and applied in all variables $_POST and $_GET by wordpress ´wp_magic_quotes´ function) and we need own a calendar too (could be owned by privilege escalation) or be a user with ´edit_pages´ permission (admin|editor). The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, an attacker can compromise the entire web server. ================ PROOF OF CONCEPT ================ An unauthenticated attacker can make a request like... http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=cpabc_appointments_check_posted_data &cpabc_calendar_update=1&id=<owned calendar id> Example: Exploiting simple SQL injection: http://localhost/wordpress/wp-admin/admin-ajax.php?action=cpabc_appointments_calendar_update &cpabc_calendar_update=1&id=1 Post data: specialDates=&workingDates&restrictedDates&timeWorkingDates0&timeWorkingDates1&timeWorkingDates2 &timeWorkingDates3&timeWorkingDates4&timeWorkingDates5& imeWorkingDates6 All post variables are vulnerable to SQLi with ´addslashes´ bypass. =============== VULNERABLE CODE =============== located in ´cpabc_appointments.php´ function cpabc_appointments_calendar_update() { global $wpdb, $user_ID; if ( ! isset( $_GET['cpabc_calendar_update'] ) || $_GET['cpabc_calendar_update'] != '1' ) return; $calid = intval(str_replace(CPABC_TDEAPP_CAL_PREFIX, "",$_GET["id"])); if ( ! current_user_can('edit_pages') && !cpabc_appointments_user_access_to($calid) ) return; echo "sa"; cpabc_appointments_add_field_verify(CPABC_TDEAPP_CONFIG, 'specialDates'); //@ob_clean(); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Pragma: no-cache"); if ( $user_ID ) $wpdb->query("update".CPABC_TDEAPP_CONFIG." set specialDates='".$_POST["specialDates"]."',".CPABC_TDEAPP_CONFIG_WORKINGDATES."='" .$_POST["workingDates"]."',".CPABC_TDEAPP_CONFIG_RESTRICTEDDATES."='".$_POST["restrictedDates"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES0. "='".$_POST["timeWorkingDates0"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES1."='".$_POST["timeWorkingDates1"]."',". CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES2."='".$_POST["timeWorkingDates2"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES3."='" .$_POST["timeWorkingDates3"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES4."='".$_POST["timeWorkingDates4"]."'," .CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES5."='".$_POST["timeWorkingDates5"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES6 ."='".$_POST["timeWorkingDates6"]."'where ".CPABC_TDEAPP_CONFIG_ID."=".$calid); exit(); } =========== Note: cpabc_appointments_calendar_update2() function is vulnerable too by the same exploit explaned here. ========== CREDITS ========== Vulnerability discovered by: Joaquin Ramirez Martinez [i0 security-lab] strparser[at]gmail[dot]com https://www.facebook.com/I0-security-lab-524954460988147/ https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q ======== TIMELINE ======== 2016-01-08 vulnerability discovered 2016-01-24 reported to vendor 2016-01-27 released plugin version 1.1.25 2016-01-28 public disclousure |
体验盒子
