## https://sploitus.com/exploit?id=1337DAY-ID-39648
# Title : Authenticated Remote Code Execution & Shell Upload
# Product : Quick Cart
# Vendor : https://opensolution.org/
# Affected Version : 6.7
# Researcher : Eagle Eye
# Tested on : Window & Linux
# Affected path : admin.php , core/common-admin.php, database/config.php
# Affected function : saveVariables()
# Report : Already contact the vendor but no response
# Description : Unfiltered parameter that post into admin.php?p=tools-config override any
$config key value cause to unwanted file inclusion and allowed file extension overriding
lead to remote code execution.
# Step to reproduce (Method 1)
- login at admin.php
- click Products and New Product from top navbar
- On the right panel, choose add file
- Upload malicious script with extension txt or any allowed extension like jpg
- click setting on right above
- click save and intercept the request
- on body parameter, add &default_pages_template=../../files/yourmaliciousfile.txt and proceed
# Step to reproduce (Method 2)
- login at admin.php
- click setting on right above
- click save and intercept the request
- on body parameter, add &allowed_extensions=php and proceed
- click Products and New Product from top navbar
- On the right panel, choose add file
- And you can upload malicious script with extension php - You may find on path eg: http://website.com/files/shell.php