cbcvebase.
CVE-2018-5988
published 2018-01-24

CVE-2018-5988: SQL Injection exists in Flexible Poll 1.2 via the id parameter to mobile_preview.php or index.php.

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.49%
97.0th percentile
SQL Injection exists in Flexible Poll 1.2 via the id parameter to mobile_preview.php or index.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
flexible_poll_projectflexible_poll

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost/[PATH]/index.php?id=[SQL]
urlhttp://localhost/[PATH]/mobile_preview.php?id=[SQL]
command-714'+UniOn+SElecT+(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),2,3,4,5--+-
path/mobile_preview.php
path/index.php
  • Monitor HTTP GET requests to index.php and mobile_preview.php for SQL injection patterns in the 'id' parameter, specifically looking for UNION SELECT, export_set(), and MySQL version-specific comment syntax (/*!08888...*/)
  • Detect the MySQL conditional comment bypass pattern /*!08888 in the id parameter of requests targeting Flexible Poll endpoints, used to evade basic WAF keyword filtering
  • Alert on use of export_set() function combined with information_schema.columns enumeration in URL query parameters, indicative of blind/error-based schema extraction
  • ·The exploit targets Flexible Poll version 1.2 specifically; verify the installed version before applying detections to avoid false positives on other versions
  • ·The SQL injection payload uses URL-encoded plus signs (+) as space substitutes and mixed-case SQL keywords (UniOn, SElecT) to bypass case-sensitive filters; detection rules must account for these obfuscation techniques

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.