Share
## https://sploitus.com/exploit?id=PACKETSTORM:179073
# Title : Authenticated Remote Code Execution & Shell Upload  
# Product : Quick Cart  
# Vendor : https://opensolution.org/  
# Affected Version : 6.7  
# Researcher : Eagle Eye  
# Tested on : Window & Linux  
# Date : 11/06/2024  
# Affected path : admin.php , core/common-admin.php, database/config.php  
# Affected function : saveVariables()  
# Report : Already contact the vendor but no response  
  
# Description : Unfiltered parameter that post into admin.php?p=tools-config override any  
$config key value cause to unwanted file inclusion and allowed file extension overriding  
lead to remote code execution.  
# Step to reproduce (Method 1)  
- login at admin.php  
- click Products and New Product from top navbar  
- On the right panel, choose add file  
- Upload malicious script with extension txt or any allowed extension like jpg  
- click setting on right above  
- click save and intercept the request  
- on body parameter, add &default_pages_template=../../files/yourmaliciousfile.txt and proceed  
# Step to reproduce (Method 2)  
- login at admin.php  
- click setting on right above  
- click save and intercept the request  
- on body parameter, add &allowed_extensions=php and proceed  
- click Products and New Product from top navbar  
- On the right panel, choose add file  
- And you can upload malicious script with extension php - You may find on path eg: http://website.com/files/shell.php