GREEZLE - Global Real Estate Agent Site Authentication ByPass

vendor:

GREEZLE

by:

L0rd CrusAd3r aka VSN

8,8

CVSS

HIGH

Authentication Bypass

CWE

Product Name: GREEZLE

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

GREEZLE – Global Real Estate Agent Site Authentication ByPass

GREEZLE is an easy in use site which allows to sell online any real estate objects. Visitors are able to browse, search and view properties. It allows you to create agent accounts, who can also sell any real estate objects at a fee you charge. The Provided Script as Sqli Vulnerability in Admin Login page. Use the string a' or '1'='1 for User name and Password to gain access.

Mitigation:

Ensure that all user input is properly validated and sanitized before being used in any SQL queries.

Source

Exploit-DB raw data:

Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
Exploit Title: GREEZLE - Global Real Estate Agent Site Authentication ByPass
Published: 2010-06-09
Vendor url:http://www.ifstudio.org/greezla/
Price:99$
Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue™®, S1ayer and to all ICW
members
#############################################################################################################################################################################


GREEZLE - Global Real Estate Agent Site Authentication ByPass

Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]

#############################################################################################################################################################################

Description:

GREEZLE is an easy in use site which allows to sell online any real estate
objects.
Visitors are able to browse, search and view properties.
 It allows you to create agent accounts, who can also sell any real estate
objects at a fee you charge.

###############################################################################################################################################################################

Vulnerability:

*Authentication Bypass found

The Provided Script as Sqli Vulnerability in Admin Login page

Example : http://[site]/en/login

Use the string a' or '1'='1 for User name and Password to gain access

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 # 0day no more#
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


################################################################################################################################################################################
-- 
With R3gards,
L0rd CrusAd3r