RealtyScript v4.0.2 Multiple Time-based Blind SQL Injection Vulnerabilities

Title: RealtyScript v4.0.2 Multiple Time-based Blind SQL Injection Vulnerabilities
Advisory ID: ZSL-2015-5270
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 19.10.2015
Summary
RealtyScript is award-winning real estate software that makes it effortless for a real estate agent, office, or entrepreneur to be up and running with a real estate web site in minutes. The software is in daily use on thousands of domain names in over 40 countries and has been translated into over 25 languages.
Description
RealtyScript suffers from multiple SQL Injection vulnerabilities. Input passed via the GET parameter 'u_id' and the POST parameter 'agent[]' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Vendor
Next Click Ventures - http://www.realtyscript.com
Affected Version
4.0.2
Tested On
Apache/2.4.6 (CentOS)
PHP/5.4.16
MariaDB-5.5.41
Vendor Status
[01.10.2015] Vulnerability discovered.
[08.10.2015] Vendor contacted.
[18.10.2015] No response from the vendor.
[19.10.2015] Public security advisory released.
PoC
realtyscript_sqli.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/38497/
[2] https://packetstormsecurity.com/files/134017
[3] https://cxsecurity.com/issue/WLB-2015100132
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/107425
Changelog
[19.10.2015] - Initial release
[21.10.2015] - Added reference [2] and [3]
[31.10.2015] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk