CS-CART

Authenticated RCE possible as admin. Log in at /admin

CS-Cart 1.3.3 - authenticated RCEExploit Database

Downlaod a PHP rev shell and rename the file to phprev.phtml

Change the IP and PORT to match the attacker machine

Upload a reverse php shell to the extension /admin.php?target=template_editor

Start up listener on an attacker machine

Navigate to /skins/phprev.phtml to start the rev shell ☺️

Practice Boxes

Proving grounds - Payday