exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MLS Property Finder Improper Access Control

MLS Property Finder Improper Access Control
Posted Mar 8, 2013
Authored by X-Cisadane

MLS Property Finder suffers from an improper access control vulnerability. Note that this finding houses site-specific data.

tags | exploit, bypass
SHA-256 | bfe705a9600eec5c7967a56b122c9365f0981b9776ce2992d7d4575f6eaaa5bd

MLS Property Finder Improper Access Control

Change Mirror Download
=========================================================== 
MLS Property Finder Improper Access Control Vulnerability
===========================================================

:-----------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : MLS Property Finder Improper Access Control Vulnerability
: # Date : 08 March 2013
: # Author : X-Cisadane
: # Vendor : http://www.mlspropertyfinder.com/ AND http://www.rls2000.com/
: # Version : All Versions
: # Category : Web Applications
: # Vulnerability : Improper Access Control Vulnerability
: # Tested On : Google Chrome 24.0.1312.52 m (Windows XP Professional SP 3 32-Bit EN US)
: # Greetz To : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Jakarta Anonymous Club, Bogor-H, Jabar Cyber
:-----------------------------------------------------------------------------------------------------------------------:

DORKS (How to find the target) :
================================
intext:How can MLS Property Finder benefit you
intext:"Do not use commas in your figures" inurl:calculator.asp
inurl:/register.asp?agentid=
intext:"Sign up for MLS Property Finder - "
intext:Take advantage of my FREE MLS Property Finder service
inurl:/detail_agent.asp?agentid=
inurl:/searchNEW.asp
intext:"Fill out the form below for a market analysis"
inurl:/listing.asp?SearchType=ByOffice
intext:daily email updates, and much more with MLS Property Finder.


Proof of Concept
=================
The website (CMS) does not restrict access to the "/update" path to a registered member. A registered member can access into the
Website CMS Manager and Managing the Website through "/update" path via URL without Realtor (Site Author) Privilege!

For Example :
Live Target : http://www.gowithcraig.com/register.asp?agentid=406764

1st. Sign up into the Website by Clicking 'Sign up for MLS Property Finder now' or through http://www.gowithcraig.com/register.asp?agentid=406764&s=contact
2nd. In the Registration Page, fill your contact information (just for formality). Fill the first name, last name, fake email address, etc.
Pic : http://i50.tinypic.com/2qn4207.png

3rd. Next click '>> Step 2'. After Search Criteria Form appeared you've to fill out that (just for formality). Then click Submit.
Pic : http://i49.tinypic.com/4l35nn.png

4th. Afer you've Clicked Submit button and if the Registration Process was sucessfull, this notification will appear : Thank you, For signing up for my MLS Property Finder,
you will receive an email with your username, password and instructions on how to log in to see your listings. Click here to view information on your properties selection.
Pic : http://i48.tinypic.com/33vj9zr.png

5th. Just click : 'Click here' and you has entered the Site within 'Registered Member' feature/privilege.
Pic : http://i45.tinypic.com/2d8q23a.png

Now, How we can step into the Site Manager???
Look at your URL Bar, if the URL is http://www.mlspropertyfinder.com/home/home.asp You've to change into http://www.mlspropertyfinder.com/update/
Pic : http://i47.tinypic.com/w17l9t.png
Voila!!! Now you can Manage the site :)

If you wanna ruin (Deface) the Site, just replace the content of Site Homepage through http://www.mlspropertyfinder.com/update/update_websiteinfo.asp
Pic : http://i47.tinypic.com/a2u72w.png
And then Click Edit Content. After that, Click Front Page.
Pic : http://i48.tinypic.com/24phs8p.png
And the HTML Editor/Page Editor will show.
Just fill Meta Title with : Defaced By Your Nick Name.
And fill the Body (CLICK HTML<> BUTTON) with this Script : <script>document.body.innerHTML="<h1>0WN3D</h1>This Site 0WN3D BY : Your Nick Name<br/>";</script>
Pic : http://i46.tinypic.com/muu0q1.png
Click Apply and OK! And Submit. Check the Site (http://www.gowithcraig.com) and Voila!!! Defaced!!!
Pic : http://i50.tinypic.com/1zofdz4.png

If you wanna find the Realtor Agent (Site Author), just go to http://www.mlspropertyfinder.com/update/agents/
Pic : http://i46.tinypic.com/optkb5.png
Look at the Password : paper (Based on my picture above). After you got the password, now you can login as the Realtor Agent (Site Author) through http://www.gowithcraig.com/update/
Fill Username with the AgentID : 406764 and Fill Password with : paper
Pic : http://i50.tinypic.com/24czloy.png
Q : Where can I find the AgentID?
A : AgentID appeared in URL Bar while you in the Register Page, If you've forgotten the AgentID just go through the Registration Page :)

If the Username and Password was right, now you can login As Realtor Agent (Site Author)
Pic : http://i49.tinypic.com/296iyid.png

As the alternative Login page for Site Author you can use this Site http://www.rls2000.com/search/login.asp

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close