DJ-Classifieds Extension Upload Vulnerability

vendor:

DJ-Classifieds Extension

by:

Sid3^effects aKa HaRi

8,8

CVSS

HIGH

Upload Vulnerability

434

CWE

Product Name: DJ-Classifieds Extension

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

DJ-Classifieds Extension Upload Vulnerability

The DJ-Classifieds extension allows users to add text advertisements into thematic categories, assigning images and descriptions to them. An attacker can exploit this vulnerability by uploading a malicious shell by changing the extension of the shell to .img,.gif or.bmp. The description part is also vulnerable. By uploading the evil script succesfully one can attack.

Mitigation:

Ensure that all user-supplied input is properly validated and sanitized before being used in any application logic.

Source

Exploit-DB raw data:

# Dork:inurl:com_djclassifieds
         

############################################################################

		ooooo  .oooooo.  oooooo   oooooo     oooo
		`888' d8P'  `Y8b  `888.    `888.     .8'
		 888 888           `888.   .8888.   .8'
		 888 888            `888  .8'`888. .8'
		 888 888             `888.8'  `888.8' 
 		 888 `88b    ooo      `888'    `888'
		o888o `Y8bood8P'       `8'      `8'   
                                        
--------------------------------------------------------------------------------------
#####################Sid3^effects aKa HaRi##################################
#Greetz to all Andhra Hackers and ICW Memebers[Indian Cyber Warriors]
#Thanks:*L0rd ÇrusAdêr*,d4rk-blu™®,R45C4L idi0th4ck3r,CR4C|< 008,M4n0j,MaYuR
#ShouTZ:kedar,dec0d3r,41.w4r10r     
#Catch us at www.andhrahackers.com or www.teamicw.in
############################################################################
 
Description :
 The DJ-Classifieds extension allows you to add text advertisements into thematic categories, assigning images and descriptions to them.
You can also allow users to add their own advertisements at your website with possibility to charge users for it (paypal).

Features:
free and paid classifieds
menu module
items module
search module

############################################################################

Xploit : Upload Vulnerability

       
 STEP 1 : Register first :)
 
 STEP 2 : Goto "Add classifieds"option.

 STEP 3 : The attacker either upload  a shell by changing the extension of the shell to .img,.gif or.bmp.
        The description part is also vulnerable.
        By uploading the evil script succesfully one can attack. :)


 Once uploaded you can check your classifieds :P

DEMO URL:

http://server/index.php?option=com_djclassifieds&view=showitem&cid=6&id=29&Itemid=1


############################################################################


#Sid3^effects