WordPress Appointment Booking Calendar 1.1.24 SQL Injection

`# Exploit Title: WordPress appointment-booking-calendar <=1.1.24 - SQL injection through ´addslashes´ (wordpress ´wp_magic_quotes´ function)  
# Date: 2016-01-28  
# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/  
# Exploit Author: Joaquin Ramirez Martinez [now i0 security-lab]  
# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form  
# Vendor: CodePeople.net  
# Vebdor URI: http://codepeople.net  
# Version: 1.1.24  
# OWASP Top10: A1-Injection  
# Tested on: windows 10 + firefox + sqlmap 1.0.  
  
===================  
PRODUCT DESCRIPTION  
===================  
"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in   
a calendar**. The booking form is linked to a **PayPal** payment process.  
  
You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities  
where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings   
that can be accepted for each time-slot."  
  
(copy of readme file)  
  
  
======================  
EXPLOITATION TECHNIQUE  
======================  
remote  
  
==============  
SEVERITY LEVEL  
==============  
  
critical  
  
================================  
TECHNICAL DETAILS && DESCRIPTION  
================================  
  
A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.24.  
  
The flaw were found in the function that is executed when the action ´cpabc_appointments_calendar_update´ is called.  
The action is added with ´init´ tag, so it function is called every time when parameter   
´action=cpabc_appointments_calendar_update´ appear in the query string (GET request) or POST request.  
  
Exploiting succesful this vulnerability we need a vulnerable wordpress site with especial character set for to bypass  
the ´addslashes´ function (called automatically and applied in all variables $_POST and $_GET by wordpress ´wp_magic_quotes´  
function) and we need own a calendar too (could be owned by privilege escalation) or be a user with ´edit_pages´ permission (admin|editor).  
  
The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, an attacker  
can compromise the entire web server.  
  
================  
PROOF OF CONCEPT  
================  
  
An unauthenticated attacker can make a request like...  
  
http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=cpabc_appointments_check_posted_data  
&cpabc_calendar_update=1&id=<owned calendar id>  
  
Example:  
  
Exploiting simple SQL injection:  
  
http://localhost/wordpress/wp-admin/admin-ajax.php?action=cpabc_appointments_calendar_update  
&cpabc_calendar_update=1&id=1  
  
Post data:  
specialDates=&workingDates&restrictedDates&timeWorkingDates0&timeWorkingDates1&timeWorkingDates2  
&timeWorkingDates3&timeWorkingDates4&timeWorkingDates5& imeWorkingDates6   
  
All post variables are vulnerable to SQLi with ´addslashes´ bypass.  
  
===============  
VULNERABLE CODE  
===============  
  
located in ´cpabc_appointments.php´  
  
function cpabc_appointments_calendar_update() {  
global $wpdb, $user_ID;  
  
if ( ! isset( $_GET['cpabc_calendar_update'] ) || $_GET['cpabc_calendar_update'] != '1' )  
return;  
  
$calid = intval(str_replace (CPABC_TDEAPP_CAL_PREFIX, "",$_GET["id"]));  
if ( ! current_user_can('edit_pages') && !cpabc_appointments_user_access_to($calid) )  
return;  
echo "sa";  
cpabc_appointments_add_field_verify(CPABC_TDEAPP_CONFIG, 'specialDates');  
  
//@ob_clean();  
header("Cache-Control: no-store, no-cache, must-revalidate");  
header("Pragma: no-cache");  
if ( $user_ID )   
$wpdb->query("update ".CPABC_TDEAPP_CONFIG." set specialDates='".$_POST["specialDates"]."',".CPABC_TDEAPP_CONFIG_WORKINGDATES."='"  
.$_POST["workingDates"]."',".CPABC_TDEAPP_CONFIG_RESTRICTEDDATES."='".$_POST["restrictedDates"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES0.  
"='".$_POST["timeWorkingDates0"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES1."='".$_POST["timeWorkingDates1"]."',".  
CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES2."='".$_POST["timeWorkingDates2"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES3."='"  
.$_POST["timeWorkingDates3"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES4."='".$_POST["timeWorkingDates4"]."',"  
.CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES5."='".$_POST["timeWorkingDates5"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES6  
."='".$_POST["timeWorkingDates6"]."' where ".CPABC_TDEAPP_CONFIG_ID."=".$calid);  
  
exit();  
}  
  
  
===========  
  
  
Note:  
cpabc_appointments_calendar_update2() function is vulnerable too by the same exploit explaned here.  
  
  
==========  
CREDITS  
==========  
  
Vulnerability discovered by:  
Joaquin Ramirez Martinez [i0 security-lab]  
strparser[at]gmail[dot]com  
https://www.facebook.com/I0-security-lab-524954460988147/  
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q  
  
  
========  
TIMELINE  
========  
  
2016-01-08 vulnerability discovered  
2016-01-24 reported to vendor  
2016-01-27 released plugin version 1.1.25  
2016-01-28 public disclousure  
  
  
`