Title: RealtyScript v4.0.2 Multiple Time-based Blind SQL Injection Vulnerabilities
Advisory ID: ZSL-2015-5270
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 19.10.2015

Summary

RealtyScript is award-winning real estate software that makes it effortless for a real estate agent, office, or entrepreneur to be up and running with a real estate web site in minutes. The software is in daily use on thousands of domain names in over 40 countries and has been translated into over 25 languages.

Description

RealtyScript suffers from multiple SQL Injection vulnerabilities. Input passed via the GET parameter 'u_id' and the POST parameter 'agent[]' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Vendor

Next Click Ventures - http://www.realtyscript.com

Affected Version

4.0.2

Tested On

Apache/2.4.6 (CentOS)
PHP/5.4.16
MariaDB-5.5.41

Vendor Status

[01.10.2015] Vulnerability discovered.
[08.10.2015] Vendor contacted.
[18.10.2015] No response from the vendor.
[19.10.2015] Public security advisory released.

PoC

realtyscript_sqli.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://www.exploit-db.com/exploits/38497/
[2] https://packetstormsecurity.com/files/134017
[3] https://cxsecurity.com/issue/WLB-2015100132
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/107425

Changelog

[19.10.2015] - Initial release
[21.10.2015] - Added reference [2] and [3]
[31.10.2015] - Added reference [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk