Lizard Cart Upload Shell Vulnerability

vendor:

Lizard Cart

by:

indoushka

7.5

CVSS

HIGH

Upload Shell

434

CWE

Product Name: Lizard Cart

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux

2009

Lizard Cart Upload Shell Vulnerability

An attacker can upload a malicious shell to the vulnerable Lizard Cart application by exploiting the upload feature. The malicious shell can be uploaded in the form of .php, .html, .pl, and .asp files. The uploaded shell can be accessed from the graphics folder of the application.

Mitigation:

Disable the upload feature of the application or restrict the file types that can be uploaded.

Source

Exploit-DB raw data:

========================================================================================
| # Title    : Lizard Cart Upload Shell Vulnerability                                  |
| # Author   : indoushka                                                               |
| # email    : indoushka@hotmail.com                                                   |
| # Home     : Souk Naamane - 04325 - Oum El Bouaghi - Algeria -(00213771818860)       |
| # EDB-ID   :                                                                         |
| # CVE-ID   : ()                                                                      |
| # OSVDB-ID : ()                                                                      |
| # DAte     :16/12/2009                                                               |
| # Verified :                                                                         |
| # Web Site : www.iq-ty.com                                                           |
| # Published:                                                                         |
| # Script   : Lizard Cart. ( 2tone Web Design ).                                      |
| # Tested on: windows SP2 Fran&#65533;ais V.(Pnx2 2.0) + Lunix Fran&#65533;ais v.(9.4 Ubuntu)       |
| # Bug      : Upload Shell                                                            |
======================      Exploit By indoushka       =================================
|# Exploit  :
| 1- http://localhost/lizardcart/admin/jscript/upload.php
| 2- http://localhost/lizardcart/admin/jscript/upload.html
| 3- http://localhost/lizardcart/admin/jscript/upload.pl
| 4- http://localhost/lizardcart/admin/jscript/upload.asp
| 5- Find it in http://localhost/lizardcart/graphics/
|
================================   Dz-Ghost Team   ========================================
Greetz : all my friend * Dos-Dz * Snakespc * His0k4 * Hussin-X * Str0ke * Saoucha * Star08 |
-------------------------------------------------------------------------------------------